Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Overview
About VPN Gateway
VPN Gateway FAQ
Subscription and service limits
Get Started
Planning and design for VPN Gateway
About VPN Gateway settings
About VPN devices
About cryptographic requirements
About BGP and VPN Gateway
About highly available connections
How To
Configure a Site-to-Site connection
Azure portal
PowerShell
Azure CLI
Azure portal (classic)
Classic portal (classic)
Configure a Point-to-Site connection
Azure portal
PowerShell
Azure portal (classic)
Generate self-signed certificates for Point-to-Site
Configure a VNet-to-VNet connection
Azure portal
PowerShell
Azure CLI
Azure portal (classic)
Configure a VNet-to-VNet connection between deployment models
Azure portal
PowerShell
Configure Site-to-Site and ExpressRoute coexisting connections
PowerShell
Configure multiple Site-to-Site connections
Azure portal
PowerShell (classic)
Connect multiple policy-based VPN devices
PowerShell
Configure IPsec/IKE policies on connections
PowerShell
Configure highly available active-active connections
PowerShell
Configure BGP for a VPN gateway
PowerShell
Configure forced tunneling
PowerShell
PowerShell (classic)
Modify local network gateway settings
PowerShell
Azure CLI
Verify a VPN gateway connection
Reset a VPN gateway
Delete a VPN gateway
Azure portal
PowerShell
PowerShell (classic)
Configure a VPN gateway (classic)
Gateway SKUs (old)
Troubleshoot
Validate VPN throughput to a VNet
Reference
PowerShell
PowerShell (classic)
REST
REST (classic)
Azure CLI
Related
Virtual Network
Application Gateway
Azure DNS
Traffic Manager
Load Balancer
ExpressRoute
Resources
Blog
Forum
Pricing
SLA
Videos
About VPN Gateway
6/6/2017 10 min to read Edit Online
A VPN gateway is a type of virtual network gateway that sends encrypted traffic across a public connection to an
on-premises location. You can also use VPN gateways to send encrypted traffic between Azure virtual networks
over the Microsoft network. To send encrypted network traffic between your Azure virtual network and your on-
premises site, you must create a VPN gateway for your virtual network.
Each virtual network can have only one VPN gateway, however, you can create multiple connections to the same
VPN gateway. An example of this is a Multi-Site connection configuration. When you create multiple connections
to the same VPN gateway, all VPN tunnels, including Point-to-Site VPNs, share the bandwidth that is available for
the gateway.
What is a virtual network gateway?
A virtual network gateway is composed of two or more virtual machines that are deployed to a specific subnet
called the GatewaySubnet. The VMs that are located in the GatewaySubnet are created when you create the
virtual network gateway. Virtual network gateway VMs are configured to contain routing tables and gateway
services specific to the gateway. You can't directly configure the VMs that are part of the virtual network gateway
and you should never deploy additional resources to the GatewaySubnet.
When you create a virtual network gateway using the gateway type 'Vpn', it creates a specific type of virtual
network gateway that encrypts traffic; a VPN gateway. The Gateway SKU that you select when you create your
virtual network gateway determines the VMs that are created and configured in the GatewaySubnet.
Gateway SKUs
When you create a virtual network gateway, you need to specify the gateway SKU that you want to use. Select the
SKUs that satisfy your requirements based on the types of workloads, throughputs, features, and SLAs.
Azure offers the following VPN gateway SKUs:
Throughput is based on measurements of multiple tunnels aggregated through a single gateway. It is not
a guaranteed throughput due to Internet traffic conditions and your application behaviors.
Pricing information can be found on the Pricing page.
SLA (Service Level Agreement) information can be found on the SLA page.
Production vs. Dev-Test Workloads
Due to the differences in SLAs and feature sets, we recommend the following SKUs for production vs. dev-test:
WORKLOAD SKUS
If you are still using the old SKUs, the production SKU recommendations are Standard and HighPerformance
SKUs. For information on the old SKUs, see Gateway SKUs (old).
Gateway SKU feature sets
The new gateway SKUs streamline the feature sets offered on the gateways:
SKU FEATURES
IMPORTANT
1. You can resize between VpnGw1, VpnGw2, and VpnGw3 SKUs
2. You cannot resize from Basic/Standard/HighPerformance SKUs to the new VpnGw1/VpnGw2/VpnGw3 SKUs
3. For the old SKUs, you can still resize between Basic, Standard, and HighPerformance SKUs
Multi-Site
This type of connection is a variation of the Site-to-Site connection. You create more than one VPN connection
from your virtual network gateway, typically connecting to multiple on-premises sites. When working with
multiple connections, you must use a RouteBased VPN type (known as a dynamic gateway when working with
classic VNets). Because each virtual network can only have one VPN gateway, all connections through the
gateway share the available bandwidth. This is often called a "multi-site" connection.
Deployment models and methods for Site -to -Site and Multi-Site
DEPLOYMENT
MODEL/METHOD AZURE PORTAL CLASSIC PORTAL POWERSHELL AZURE CLI
(*) denotes that the classic portal can only support creating one S2S VPN connection.
(**) denotes that this method contains steps that require PowerShell.
(+) denotes that this article is written for multi-site connections.
(+) denotes this deployment method is available only for VNets in the same subscription.
(*) denotes that this deployment method also requires PowerShell.
Pricing
You pay for two things: the hourly compute costs for the virtual network gateway, and the egress data transfer
from the virtual network gateway. Pricing information can be found on the Pricing page.
Virtual network gateway compute costs
Each virtual network gateway has an hourly compute cost. The price is based on the gateway SKU that you
specify when you create a virtual network gateway. The cost is for the gateway itself and is in addition to the data
transfer that flows through the gateway.
Data transfer costs
Data transfer costs are calculated based on egress traffic from the source virtual network gateway.
If you are sending traffic to your on-premises VPN device, it will be charged with the Internet egress data
transfer rate.
If you are sending traffic between virtual networks in different regions, the pricing is based the region.
If you are sending traffic only between virtual networks that are in the same region, there are no data costs.
Traffic between VNets in the same region is free.
For more information about gateway SKUs for VPN Gateway, see Gateway SKUs.
FAQ
For frequently asked questions about VPN gateway, see the VPN Gateway FAQ.
Next steps
Plan your VPN gateway configuration. See VPN Gateway Planning and Design.
View the VPN Gateway FAQ for additional information.
View the Subscription and service limits.
VPN Gateway FAQ
5/31/2017 24 min to read Edit Online
Point-to-Site connections
What client operating systems can I use with Point-to -Site?
The following client operating systems are supported:
Windows 7 (32-bit and 64-bit)
Windows Server 2008 R2 (64-bit only)
Windows 8 (32-bit and 64-bit)
Windows 8.1 (32-bit and 64-bit)
Windows Server 2012 (64-bit only)
Windows Server 2012 R2 (64-bit only)
Windows 10
Can I use any software VPN client for Point-to -Site that supports SSTP?
No. Support is limited only to the Windows operating system versions listed above.
How many VPN client endpoints can I have in my Point-to -Site configuration?
We support up to 128 VPN clients to be able to connect to a virtual network at the same time.
Can I use my own internal PKI root CA for Point-to -Site connectivity?
Yes. Previously, only self-signed root certificates could be used. You can still upload 20 root certificates.
Can I traverse proxies and firewalls using Point-to -Site capability?
Yes. We use SSTP (Secure Socket Tunneling Protocol) to tunnel through firewalls. This tunnel will appear as an
HTTPs connection.
If I restart a client computer configured for Point-to -Site, will the VPN automatically reconnect?
By default, the client computer will not reestablish the VPN connection automatically.
Does Point-to -Site support auto -reconnect and DDNS on the VPN clients?
Auto-reconnect and DDNS are currently not supported in Point-to-Site VPNs.
Can I have Site -to -Site and Point-to -Site configurations coexist for the same virtual network?
Yes. Both these solutions will work if you have a RouteBased VPN type for your gateway. For the classic
deployment model, you need a dynamic gateway. We do not support Point-to-Site for static routing VPN gateways
or gateways using the -VpnType PolicyBased cmdlet.
Can I configure a Point-to -Site client to connect to multiple virtual networks at the same time?
Yes, it is possible. But the virtual networks cannot have overlapping IP prefixes and the Point-to-Site address
spaces must not overlap between the virtual networks.
How much throughput can I expect through Site -to -Site or Point-to -Site connections?
It's difficult to maintain the exact throughput of the VPN tunnels. IPsec and SSTP are crypto-heavy VPN protocols.
Throughput is also limited by the latency and bandwidth between your premises and the Internet.
IPsec/IKE policy
Is Custom IPsec/IKE policy supported on all Azure VPN Gateway SKUs?
Custom IPsec/IKE policy is supported on Azure Standard and HighPerformance VPN gateways. Basic SKU is
NOT supported.
How many policies can I specify on a connection?
You can only specify one policy combination for a given connection.
Can I specify a partial policy on a connection? (E.g., only IKE algorithms but not IPsec)
No, you must specify all algorithms and parameters for both IKE (Main Mode) and IPsec (Quick Mode). Partial
policy specification is not allowed.
What are the algorithms and key strengths supported in the custom policy?
The table below lists the supported cryptographic algorithms and key strengths configurable by the customers.
You must select one option for every field.
IPSEC/IKEV2 OPTIONS
PFS Group ECP384, ECP256, PFS24, PFS2048, PFS14, PFS2, PFS1, None
(*) IKEv2 Main Mode SA lifetime is fixed at 28,800 seconds on the Azure VPN gateways
(**) Please see the next FAQ item for "UsePolicyBasedTrafficSelectors"
Does everything need to match between the Azure VPN gateway policy and my on-premises VPN device
configurations?
Your on-premises VPN device configuration must match or contain the following algorithms and parameters that
you specify on the Azure IPsec/IKE policy:
IKE encryption algorithm
IKE integrity algorithm
DH Group
IPsec encryption algorithm
IPsec integrity algorithm
PFS Group
Traffic Selector (*)
The SA lifetimes are local specifications only, do not need to match.
If you enable UsePolicyBasedTrafficSelectors, you need to ensure your VPN device has the matching traffic
selectors defined with all combinations of your on-premises network (local network gateway) prefixes to/from the
Azure virtual network prefixes, instead of any-to-any. For example, if your on-premises network prefixes are
10.1.0.0/16 and 10.2.0.0/16, and your virtual network prefixes are 192.168.0.0/16 and 172.16.0.0/16, you need to
specify the following traffic selectors:
10.1.0.0/16 <====> 192.168.0.0/16
10.1.0.0/16 <====> 172.16.0.0/16
10.2.0.0/16 <====> 192.168.0.0/16
10.2.0.0/16 <====> 172.16.0.0/16
Refer to Connect multiple on-premises policy-based VPN devices for more details on how to use this option.
Does the custom policy replace the default IPsec/IKE policy sets for Azure VPN gateways?
Yes, once a custom policy is specified on a connection, Azure VPN gateway will only use the policy on the
connection, both as IKE initiator and IKE responder.
If I remove a custom IPsec/IKE policy, does the connection become unprotected?
No, the connection will still be protected by IPsec/IKE. Once you remove the custom policy from a connection, the
Azure VPN gateway will revert back to the default list of IPsec/IKE proposals and re-start the IKE handshake again
with your on-premises VPN device.
Would adding or updating an IPsec/IKE policy disrupt my VPN connection?
Yes, it could cause a small disruption (a few seconds) as the Azure VPN gateway will tear down the existing
connection and re-start the IKE handshake to re-establish the IPsec tunnel with the new cryptographic algorithms
and parameters. Please ensure your on-premises VPN device is also configured with the matching algorithms and
key strengths to minimize the disruption.
Can I use different policies on different connections?
Yes. Custom policy is applied on a per-connection basis. You can create and apply different IPsec/IKE policies on
different connections. You can also choose to apply custom policies on a subset of connections. The remaining
ones will use the Azure default IPsec/IKE policy sets.
Can I use the custom policy on VNet-to -VNet connection as well?
Yes, you can apply custom policy on both IPsec cross-premises connections or VNet-to-VNet connections.
Do I need to specify the same policy on both VNet-to -VNet connection resources?
Yes. A VNet-to-VNet tunnel consists of two connection resources in Azure, one for each direction. You need to
ensure both connection resources have the same policy, othereise the VNet-to-VNet connection will not establish.
Does custom IPsec/IKE policy work on ExpressRoute connection?
No. IPsec/IKE policy only works on S2S VPN and VNet-to-VNet connections via the Azure VPN gateways.
BGP
Is BGP supported on all Azure VPN Gateway SKUs?
No, BGP is supported on Azure Standard and HighPerformance VPN gateways. Basic SKU is NOT supported.
Can I use BGP with Azure Policy-Based VPN gateways?
No, BGP is supported on Route-Based VPN gateways only.
Can I use private ASNs (Autonomous System Numbers)?
Yes, you can use your own public ASNs or private ASNs for both your on-premises networks and Azure virtual
networks.
Are there ASNs reserved by Azure?
Yes, the following ASNs are reserved by Azure for both internal and external peerings:
Public ASNs: 8075, 8076, 12076
Private ASNs: 65515, 65517, 65518, 65519, 65520
You cannot specify these ASNs for your on premises VPN devices when connecting to Azure VPN gateways.
Can I use the same ASN for both on-premises VPN networks and Azure VNets?
No, you must assign different ASNs between your on-premises networks and your Azure VNets if you are
connecting them together with BGP. Azure VPN Gateways have a default ASN of 65515 assigned, whether BGP is
enabled or not for your cross-premises connectivity. You can override this default by assigning a different ASN
when creating the VPN gateway, or change the ASN after the gateway is created. You will need to assign your on-
premises ASNs to the corresponding Azure Local Network Gateways.
What address prefixes will Azure VPN gateways advertise to me?
Azure VPN gateway will advertise the following routes to your on-premises BGP devices:
Your VNet address prefixes
Address prefixes for each Local Network Gateways connected to the Azure VPN gateway
Routes learned from other BGP peering sessions connected to the Azure VPN gateway, except default route
or routes overlapped with any VNet prefix.
Can I advertise default route (0.0.0.0/0) to Azure VPN gateways?
Yes.
Please note this will force all VNet egress traffic towards your on-premises site, and will prevent the VNet VMs
from accepting public communication from the Internet directly, such RDP or SSH from the Internet to the VMs.
Can I advertise the exact prefixes as my Virtual Network prefixes?
No, advertising the same prefixes as any one of your Virtual Network address prefixes will be blocked or filtered
by the Azure platform. However you can advertise a prefix that is a superset of what you have inside your Virtual
Network.
For example, if your virtual network used the address space 10.0.0.0/16, you could advertise 10.0.0.0/8. But you
cannot advertise 10.0.0.0/16 or 10.0.0.0/24.
Can I use BGP with my VNet-to -VNet connections?
Yes, you can use BGP for both cross-premises connections and VNet-to-VNet connections.
Can I mix BGP with non-BGP connections for my Azure VPN gateways?
Yes, you can mix both BGP and non-BGP connections for the same Azure VPN gateway.
Does Azure VPN gateway support BGP transit routing?
Yes, BGP transit routing is supported, with the exception that Azure VPN gateways will NOT advertise default
routes to other BGP peers. To enable transit routing across multiple Azure VPN gateways, you must enable BGP on
all intermediate VNet-to-VNet connections.
Can I have more than one tunnel between Azure VPN gateway and my on-premises network?
Yes, you can establish more than one S2S VPN tunnel between an Azure VPN gateway and your on-premises
network. Please note that all these tunnels will be counted against the total number of tunnels for your Azure VPN
gateways and you must enable BGP on both tunnels.
For example, if you have two redundant tunnels between your Azure VPN gateway and one of your on-premises
networks, they will consume 2 tunnels out of the total quota for your Azure VPN gateway (10 for Standard and 30
for HighPerformance).
Can I have multiple tunnels between two Azure VNets with BGP?
Yes, but at least one of the virtual network gateways must be in active-active configuration.
Can I use BGP for S2S VPN in an ExpressRoute/S2S VPN co -existence configuration?
Yes.
What address does Azure VPN gateway use for BGP Peer IP?
The Azure VPN gateway will allocate a single IP address from the GatewaySubnet range defined for the virtual
network. By default, it is the second last address of the range. For example, if your GatewaySubnet is
10.12.255.0/27, ranging from 10.12.255.0 to 10.12.255.31, the BGP Peer IP address on the Azure VPN gateway will
be 10.12.255.30. You can find this information when you list the Azure VPN gateway information.
What are the requirements for the BGP Peer IP addresses on my VPN device?
Your on-premises BGP peer address MUST NOT be the same as the public IP address of your VPN device. Use a
different IP address on the VPN device for your BGP Peer IP. It can be an address assigned to the loopback
interface on the device. Specify this address in the corresponding Local Network Gateway representing the
location.
What should I specify as my address prefixes for the Local Network Gateway when I use BGP?
Azure Local Network Gateway specifies the initial address prefixes for the on-premises network. With BGP, you
must allocate the host prefix (/32 prefix) of your BGP Peer IP address as the address space for that on-premises
network. If your BGP Peer IP is 10.52.255.254, you should specify "10.52.255.254/32" as the
localNetworkAddressSpace of the Local Network Gateway representing this on-premises network. This is to
ensure that the Azure VPN gateway establishes the BGP session through the S2S VPN tunnel.
What should I add to my on-premises VPN device for the BGP peering session?
You should add a host route of the Azure BGP Peer IP address on your VPN device pointing to the IPsec S2S VPN
tunnel. For example, if the Azure VPN Peer IP is "10.12.255.30", you should add a host route for "10.12.255.30"
with a nexthop interface of the matching IPsec tunnel interface on your VPN device.
Next steps
For more information about VPN Gateway, see About VPN Gateway.
For more information about VPN Gateway configuration settings, see About VPN Gateway configuration
settings.
Azure subscription and service limits, quotas, and
constraints
6/15/2017 53 min to read Edit Online
This document lists some of the most common Microsoft Azure limits, which are also sometimes called quotas. This
document doesn't currently cover all Azure services. Over time, the list will be expanded and updated to cover more
of the platform.
Please visit Azure Pricing Overview to learn more about Azure pricing. There, you can estimate your costs using the
Pricing Calculator or by visiting the pricing details page for a service (for example, Windows VMs). For tips to help
manage your costs, see Prevent unexpected costs with Azure billing and cost management.
NOTE
If you want to raise the limit or quota above the Default Limit, open an online customer support request at no charge. The
limits can't be raised above the Maximum Limit value shown in the following tables. If there is no Maximum Limit column,
then the resource doesn't have adjustable limits.
Free Trial subscriptions are not eligible for limit or quota increases. If you have a Free Trial, you can upgrade to a Pay-As-You-
Go subscription. For more information, see Upgrade Azure Free Trial to Pay-As-You-Go.
NOTE
It is important to emphasize that quotas for resources in Azure Resource Groups are per-region accessible by your
subscription, and are not per-subscription, as the service management quotas are. Let's use core quotas as an example. If you
need to request a quota increase with support for cores, you need to decide how many cores you want to use in which
regions, and then make a specific request for Azure Resource Group core quotas for the amounts and regions that you want.
Therefore, if you need to use 30 cores in West Europe to run your application there; you should specifically request 30 cores
in West Europe. But you will not have a core quota increase in any other region -- only West Europe will have the 30-core
quota.
As a result, you may find it useful to consider deciding what your Azure Resource Group quotas need to be for your workload
in any one region, and request that amount in each region into which you are considering deployment. See troubleshooting
deployment issues for more help discovering your current quotas for specific regions.
Service-specific limits
Active Directory
API Management
App Service
Application Gateway
Application Insights
Automation
Azure Redis Cache
Azure RemoteApp
Backup
Batch
BizTalk Services
CDN
Cloud Services
Data Factory
Data Lake Analytics
Data Lake Store
DNS
DocumentDB
Event Hubs
IoT Hub
Key Vault
Log Analytics / Operational Insights
Media Services
Mobile Engagement
Mobile Services
Monitor
Multi-Factor Authentication
Networking
Network Watcher
Notification Hub Service
Resource Group
Scheduler
Search
Service Bus
Site Recovery
SQL Database
Storage
StorSimple System
Stream Analytics
Subscription
Traffic Manager
Virtual Machines
Virtual Machine Scale Sets
Subscription limits
Subscription limits
RESOURCE DEFAULT LIMIT MAXIMUM LIMIT
1Extra Small instances count as one core towards the core limit despite using a partial core.
2This includes both Standard and Premium storage accounts. If you require more than 200 storage accounts, make
a request through Azure Support. The Azure Storage team will review your business case and may approve up to
250 storage accounts.
Subscription limits - Azure Resource Manager
The following limits apply when using the Azure Resource Manager and Azure Resource Groups. Limits that have
not changed with the Azure Resource Manager are not listed below. Please refer to the previous table for those
limits.
For information about handling limits on Resource Manager requests, see Throttling Resource Manager requests.
VM per series (Dv2, F, etc.) cores per 201 per Region Contact support
subscription
Availability Sets per subscription 2000 per Region 2000 per Region
RESOURCE DEFAULT LIMIT MAXIMUM LIMIT
Resource Manager API Reads 15000 per hour 15000 per hour
Resource Manager API Writes 1200 per hour 1200 per hour
1Default limits vary by offer Category Type, such as Free Trial, Pay-As-You-Go, and series, such as Dv2, F, G, etc.
2This includes both Standard and Premium storage accounts. If you require more than 200 storage accounts, make
a request through Azure Support. The Azure Storage team will review your business case and may approve up to
250 storage accounts.
3These features are no longer required with Azure Resource Groups and the Azure Resource Manager.
NOTE
It is important to emphasize that virtual machine cores have a regional total limit as well as a regional per size series (Dv2, F,
etc.) limit that are separately enforced. For example, consider a subscription with a US East total VM core limit of 30, an A
series core limit of 30, and a D series core limit of 30. This subscription would be allowed to deploy 30 A1 VMs, or 30 D1
VMs, or a combnation of the two not to exceed a total of 30 cores (e.g. 10 A1 VMs and 20 D1 VMs).
Resources per resource group (per 800 Varies per resource type
resource type)
Template limits
Outputs 64 64
Template size 1 MB 1 MB
You can exceed some template limits by using a nested template. For more information, see Using linked templates
when deploying Azure resources. To reduce the number of parameters, variables, or outputs, you can combine
several values into an object. For more information, see Objects as parameters.
Virtual Machines limits
Virtual Machine limits
1Virtual machines created in Service Management (instead of Resource Manager) are automatically stored in a
cloud service. You can add more virtual machines to that cloud service for load balancing and availability. See How
to Connect Virtual Machines with a Virtual Network or Cloud Service.
2Input endpoints allow communications to a virtual machine from outside the virtual machine's cloud service.
Virtual machines in the same cloud service or virtual network can automatically communicate with each other. See
How to Set Up Endpoints to a Virtual Machine.
Virtual Machines limits - Azure Resource Manager
The following limits apply when using the Azure Resource Manager and Azure Resource Groups. Limits that have
not changed with the Azure Resource Manager are not listed below. Please refer to the previous table for those
limits.
1With Azure Resource Manager, certificates are stored in the Azure Key Vault. Although the number of certificates is
unlimited for a subscription, there is still a 1 MB limit of certificates per deployment (which consists of either a
single VM or an availability set).
Virtual Machine Scale Sets limits
RESOURCE MAXIMUM LIMIT
Networking limits
ExpressRoute Limits
The following limits apply to ExpressRoute resources per subscription.
Number of virtual network links allowed per ExpressRoute see table below
circuit
50 Mbps 10 20
100 Mbps 10 25
200 Mbps 10 25
500 Mbps 10 40
1 Gbps 10 50
2 Gbps 10 60
NUMBER OF VNET LINKS WITH PREMIUM
CIRCUIT SIZE NUMBER OF VNET LINKS FOR STANDARD ADD-ON
5 Gbps 10 75
10 Gbps 10 100
Networking limits
The following limits apply only for networking resources managed through the classic deployment model per
subscription.
Frontend Ports 20
HTTP Listeners 20
Packet Capture sessions 10 per region # of sessions only, not saved captures
DNS limits
Storage limits
For additional details on storage account limits, see Azure Storage Scalability and Performance Targets.
Storage Service limits
Max number of blob containers, blobs, file shares, tables, Only limit is the 500 TB storage account capacity
queues, entities, or messages per storage account
Max number of files in a file share Only limit is the 5 TB total capacity of the file share
Max number of files in a file share Only limit is the 5 TB total capacity of the file share
Max number of blob containers, blobs, file shares, tables, Only limit is the 500 TB storage account capacity
queues, entities, or messages per storage account
Maximum Request Rate per storage account Blobs: 20,000 requests per second for blobs of any valid size
(capped only by the account's ingress/egress limits)
Files: 1000 IOPS (8 KB in size) per file share
Queues: 20,000 messages per second (assuming 1 KB
message size)
Tables: 20,000 transactions per second (assuming 1 KB entity
size)
Target throughput for single blob Up to 60 MB per second, or up to 500 requests per second
Target throughput for single queue (1 KB messages) Up to 2000 messages per second
Target throughput for single table partition (1 KB entities) Up to 2000 entities per second
Max ingress2 per storage account (US Regions) 10 Gbps if GRS/ZRS3 enabled, 20 Gbps for LRS
Max egress2 per storage account (US Regions) 20 Gbps if RA-GRS/GRS/ZRS3 enabled, 30 Gbps for LRS
Max ingress2 per storage account (Non-US regions) 5 Gbps if GRS/ZRS3 enabled, 10 Gbps for LRS
Max egress2 per storage account (Non-US regions) 10 Gbps if RA-GRS/GRS/ZRS3 enabled, 15 Gbps for LRS
1This includes both Standard and Premium storage accounts. If you require more than 200 storage accounts, make
a request through Azure Support. The Azure Storage team will review your business case and may approve up to
250 storage accounts.
2Ingress refers to all data (requests) being sent to a storage account. Egress refers to all data (responses) being
RA-GRS: Read-access geo-redundant storage. If RA-GRS is enabled, egress targets for the secondary location
are identical to those for the primary location.
GRS: Geo-redundant storage.
ZRS: Zone-redundant storage. Available only for block blobs.
LRS: Locally redundant storage.
Virtual machine disk limits
An Azure virtual machine supports attaching a number of data disks. For optimal performance, you will want to
limit the number of highly utilized disks attached to the virtual machine to avoid possible throttling. If all disks are
not being highly utilized at the same time, the storage account can support a larger number disks.
For Azure Managed Disks: Managed Disks count limit is regional for the subscription. The default soft limit
is 2,000 per region per subscription. To increase your limit, contact Azure support.
Managed Snapshots and Images are counted against the Managed Disks limit.
For standard storage accounts: A standard storage account has a maximum total request rate of 20,000
IOPS. The total IOPS across all of your virtual machine disks in a standard storage account should not exceed
this limit.
You can roughly calculate the number of highly utilized disks supported by a single standard storage
account based on the request rate limit. For example, for a Basic Tier VM, the maximum number of highly
utilized disks is about 66 (20,000/300 IOPS per disk), and for a Standard Tier VM, it is about 40 (20,000/500
IOPS per disk), as shown in the table below.
For premium storage accounts: A premium storage account has a maximum total throughput rate of 50
Gbps. The total throughput across all of your VM disks should not exceed this limit.
See Virtual machine sizes for additional details.
Managed virtual machine disks
Standard managed virtual machine disks
STANDARD
DISK TYPE S4 S6 S10 S20 S30 S40 S50
PREMIUM
DISKS TYPE P4 P6 P10 P20 P30 P40 P50
Throughput 25 MB/sec 50 MB/sec 100 MB/sec 150 MB/sec 200 MB/sec 250 MB/sec 250 MB/sec
per disk
1Ingress refers to all data (requests) being sent to a storage account. Egress refers to all data (responses) being
PREMIUM
STORAGE DISK
TYPE P10 P20 P30 P40 P50
Disk size 128 GiB 512 GiB 1024 GiB (1 TB) 2048 GiB (2 TB) 4095 GiB (4 TB)
Max throughput 100 MB/s 150 MB/s 200 MB/s 250 MB/s 250 MB/s
per disk
1Each Cloud Service with Web/Worker roles can have two deployments, one for production and one for staging.
Also note that this limit refers to the number of distinct roles (configuration) and not the number of instances per
role (scaling).
App Service limits
The following App Service limits include limits for Web Apps, Mobile Apps, API Apps, and Logic Apps.
PREMIUM
RESOURCE FREE SHARED (PREVIEW) BASIC STANDARD (PREVIEW)
App Service plan 1 per region 10 per resource 100 per resource 100 per resource 100 per resource
group group group group
CPU time (5 3 minutes 3 minutes Unlimited, pay at Unlimited, pay at Unlimited, pay at
min)6 standard rates standard rates standard rates
CPU time (day)6 60 minutes 240 minutes Unlimited, pay at Unlimited, pay at Unlimited, pay at
standard rates standard rates standard rates
Memory (1 hour) 1024 MB per 1024 MB per app N/A N/A N/A
App Service plan
PREMIUM
RESOURCE FREE SHARED (PREVIEW) BASIC STANDARD (PREVIEW)
Bandwidth 165 MB Unlimited, data Unlimited, data Unlimited, data Unlimited, data
transfer rates transfer rates transfer rates transfer rates
apply apply apply apply
Concurrent 1 1 1 5 5
debugger
connections per
application
azurewebsites.net X X X X X
subdomain with
FTP/S and SSL
Custom domain X X X X
support
Integrated Load X X X X
Balancer
Always On X X X
Auto Scale X X X
WebJobs9 X X X X X
Azure Scheduler X X X X
support
Endpoint X X X
monitoring
Staging Slots 5 20
1Apps and storage quotas are per App Service plan unless noted otherwise.
2
2The actual number of apps that you can host on these machines depends on the activity of the apps, the size of the
machine instances, and the corresponding resource utilization.
3Dedicated instances can be of different sizes. See App Service Pricing for more details.
4Premium tier allows up to 50 computes instances (subject to availability) and 500 GB of disk space when using
App Service Environments, and 20 compute instances and 250 GB storage otherwise.
5The storage limit is the total content size across all apps in the same App Service plan. More storage options are
number of instances).
7If you scale an app in the Basic tier to two instances, you have 350 concurrent connections for each of the two
instances.
8Premium tier allows backup intervals down up to every 5 minutes when using App Service Environments, and 50
your App Service instance. Always On is required for continuous WebJobs execution. Azure Scheduler Free or
Standard is required for scheduled WebJobs. There is no predefined limit on the number of WebJobs that can run
in an App Service instance, but there are practical limits that depend on what the application code is trying to do.
10SLA of 99.95% provided for deployments that use multiple instances with Azure Traffic Manager configured for
failover.
Scheduler limits
The following table describes each of the major quotas, limits, defaults, and throttles in Azure Scheduler.
Job size Maximum job size is 16K. If a PUT or a PATCH results in a job
larger than these limits, a 400 Bad Request status code is
returned.
Request URL size Maximum size of the request URL is 2048 chars.
Job history Maximum response body stored in job history is 2048 bytes.
Jobs The default max jobs quota is 5 jobs in a free job collection
and 50 jobs in a standard job collection. The maximum
number of jobs is configurable on a job collection. All jobs in
the job collection are limited the value set on the job
collection. If you attempt to create more jobs than the
maximum jobs quota, then the request fails with a 409
Conflict status code.
Job history retention Job history is retained for up to 2 months or up to the last
1000 executions.
Completed and faulted job retention Completed and faulted jobs are retained for 60 days.
Batch limits
RESOURCE DEFAULT LIMIT MAXIMUM LIMIT
1 Dedicated core quotas shown are only for accounts with pool allocation mode set to Batch service. For accounts
with the mode set to user subscription, core quotas are based on the VM cores quota at a regional level or per VM
family in your subscription.
2 The number of dedicated cores per Batch account can be increased, but the maximum number is unspecified.
Contact Azure support to discuss increase options.
3 Low-priority core quotas shown are only for accounts with pool allocation mode set to Batch service. Low-
priority cores are not available for accounts with pool allocation mode set to user subscription.
4 The number of low-priority cores per Batch account can be increased, but the maximum number is unspecified.
Contact Azure support to discuss increase options.
5 Completed jobs and job schedules are not limited.
6 Contact Azure support if you want to request an increase beyond this limit.
BizTalk Services limits
The following table shows the limits for Azure Biztalk Services.
Hybrid 5 5 10 50 100
Connections per
Unit
Number of N/A 1 2 5 25
connections
using BizTalk
Adapter Service
per Unit
DocumentDB limits
DocumentDB is a global scale database in which throughput and storage can be scaled to handle whatever your
application requires. If you have any questions about the scale DocumentDB provides, please send email to
askdocdb@microsoft.com.
Mobile Engagement limits
RESOURCE MAXIMUM LIMIT
Total Push Campaigns (includes Active & Completed) 1000 per app
Search limits
Pricing tiers determine the capacity and limits of your search service. Tiers include:
Free multi-tenant service, shared with other Azure subscribers, intended for evaluation and small development
projects.
Basic provides dedicated computing resources for production workloads at a smaller scale, with up to three
replicas for highly available query workloads.
Standard (S1, S2, S3, S3 High Density) is for larger production workloads. Multiple levels exist within the
standard tier so that you can choose a resource configuration that best matches your workload profile.
Limits per subscription
You can create multiple services within a subscription, each one provisioned at a specific tier, limited only by the
number of services allowed at each tier. For example, you could create up to 12 services at the Basic tier and
another 12 services at the S1 tier within the same subscription. For more information about tiers, see Choose a SKU
or tier for Azure Search.
Maximum service limits can be raised upon request. Contact Azure Support if you need more services within the
same subscription.
Maximum 1 12 12 6 6 6
services
Maximum N/A 3 3 SU 4 36 SU 36 SU 36 SU 36 SU
scale in SU 2
an individual subscriber. For this reason, maximum scale is marked as not applicable.
4 Basic has one fixed partition. At this tier, additional SUs are used for allocating more replicas for increased query
workloads.
Limits per search service
Storage is constrained by disk space or by a hard limit on the maximum number of indexes or documents,
whichever comes first.
RESOURCE FREE BASIC S1 S2 S3 S3 HD
Replicas N/A 3 12 12 12 12
Maximum 10,000 1 million 15 million per 60 million per 120 million 1 million per
documents partition or partition or per partition index or 200
180 million 720 million or 1.4 billion million per
per service per service per service partition
Estimated N/A ~3 per replica ~15 per ~60 per ~60 per >60 per
queries per replica replica replica replica
second (QPS)
1 Free tier
and preview features do not come with service level agreements (SLAs). For all billable tiers, SLAs take
effect when you provision sufficient redundancy for your service. Two or more replicas are required for query
(read) SLA. Three or more replicas are required for query and indexing (read-write) SLA. The number of partitions is
not an SLA consideration.
2 S3 HD has a hard limit of 3 partitions, which is lower than the partition limit for S3. The lower partition limit is
imposed because the index count for S3 HD is substantially higher. Given that service limits exist for both
computing resources (storage and processing) and content (indexes and documents), the content limit is reached
first.
To learn more about limits on a more granular level, such as document size, queries per second, keys, requests, and
responses, see Service limits in Azure Search.
Media Services limits
NOTE
For resources that are not fixed, you may ask for the quotas to be raised, by opening a support ticket. Do not create
additional Azure Media Services accounts in an attempt to obtain higher limits.
RESOURCE DEFAULT LIMIT
Policies 1,000,000(6)
File size In some scenarios there is a limit on the maximum file size
supported for processing in Media Services. 7
7If you are uploading content to an Asset in Azure Media Services with the intent to process it with one of the media
processors in our service (i.e. encoders like Media Encoder Standard and Media Encoder Premium Workflow, or
analysis engines like Face Detector), then you should be aware of the constraint on the maximum size.
As of May 15, 2017, the maximum size supported for a single blob is 195 TB - with file largers than this limit, your
Task will fail. We are working a fix to address this limit. In addition, the constraint on the maximum size of the Asset
is as follows.
S1 325
S2 640
S3 260
CDN limits
RESOURCE SOFT LIMIT
CDN profiles 8
Push Notifications Notification Hubs Free Tier Notification Hubs Basic Tier Notification Hubs Standard
included, up to 1 M pushes included, up to 10 M pushes Tier included, up to 10 M
pushes
For additional details on these limits and for information on pricing, see Mobile Services Pricing.
Monitor limits
RESOURCE LIMIT
For additional details on these limits and for information on pricing, see Notification Hubs Pricing.
Event Hubs limits
The following table lists quotas and limits specific to Azure Event Hubs. For information about Event Hubs pricing,
see Event Hubs pricing.
BEHAVIOR WHEN
LIMIT SCOPE TYPE EXCEEDED VALUE
BEHAVIOR WHEN
QUOTA NAME SCOPE TYPE EXCEEDED VALUE
Maximum number of
header properties in
property bag:
byte/int.MaxValue
Maximum size of
property in property
bag: No explicit limit.
Limited by maximum
header size.
BEHAVIOR WHEN
QUOTA NAME SCOPE TYPE EXCEEDED VALUE
Maximum number of
expressions per rule
action: 32.
NOTE
If you anticipate using more than 200 units with an S1 or S2 or 10 units with an S3 tier hub, contact Microsoft support.
The following table lists the limits that apply to IoT Hub resources:
RESOURCE LIMIT
NOTE
If you need more than 10 paid IoT hubs in an Azure subscription, contact Microsoft support.
NOTE
Currently, the maximum number of devices you can connect to a single IoT hub is 500,000. If you want to increase this limit,
contact Microsoft Support.
The IoT Hub service throttles requests when the following quotas are exceeded:
Device connections 6000/sec/unit (for S3), 120/sec/unit (for S2), 12/sec/unit (for
S1).
Minimum of 100/sec.
Device-to-cloud sends 6000/sec/unit (for S3), 120/sec/unit (for S2), 12/sec/unit (for
S1).
Minimum of 100/sec.
Direct methods 1500/sec/unit (for S3), 30/sec/unit (for S2), 10/sec/unit (for S1)
Device twin reads 50/sec/unit (for S3), Maximum of 10/sec or 1/sec/unit (for S2),
10/sec (for S1)
Device twin updates 50/sec/unit (for S3), Maximum of 10/sec or 1/sec/unit (for S2),
10/sec (for S1)
Jobs per-device operation throughput 50/sec/unit (for S3), Maximum of 10/sec or 1/sec/unit (for S2),
10/sec (for S1)
Retry count for pipeline activity runs 1000 MaxInt (32 bit)
1 Pipeline, dataset, and linked service objects represent a logical grouping of your
workload. Limits for these objects
do not relate to amount of data you can move and process with the Azure Data Factory service. Data factory is
designed to scale to handle petabytes of data.
2 On-demand HDInsight cores are allocated out of the subscription that contains the data factory. As a result, the
above limit is the Data Factory enforced core limit for on-demand HDInsight cores and is different from the core
limit associated with your Azure subscription.
3 Cloud data movement unit (DMU) is being used in a cloud-to-cloud copy operation. It is a measure that
represents the power (a combination of CPU, memory, and network resource allocation) of a single unit in Data
Factory. You can achieve higher copy throughput by leveraging more DMUs for some scenarios. Refer to Cloud
data movement units section on details.
Max number of access ACLs, per file or 32 This is a hard limit. Use groups to
folder manage access with fewer entries
Max number of default ACLs, per file or 32 This is a hard limit. Use groups to
folder manage access with fewer entries
Maximum number of inputs per job 60 There is a hard limit of 60 inputs per
Stream Analytics job.
Maximum number of outputs per job 60 There is a hard limit of 60 outputs per
Stream Analytics job.
Maximum number of functions per job 60 There is a hard limit of 60 functions per
Stream Analytics job.
Maximum number of Streaming Units 120 There is a hard limit of 120 Streaming
per job Units per Stream Analytics job.
Maximum number of jobs per region 1500 Each subscription may have up to 1500
jobs per geographical region.
CATEGORY LIMITS
CATEGORY LIMITS
Paid collections 3
The number of users is determined by the number of VMs used for your collection:
Basic = 16 users per VM
Standard = 10 users per VM
Premium = 4 users per VM
Premium plus = 2 users per VM
StorSimple System limits
LIMIT IDENTIFIER LIMIT COMMENTS
Maximum number of schedules per 168 A schedule for every hour, every day of
bandwidth template the week (24*7).
LIMIT IDENTIFIER LIMIT COMMENTS
Maximum size of a tiered volume on 64 TB for 8100 and 8600 8100 and 8600 are physical devices.
physical devices
Maximum size of a tiered volume on 30 TB for 8010 8010 and 8020 are virtual devices in
virtual devices in Azure 64 TB for 8020 Azure that use Standard Storage and
Premium Storage respectively.
Maximum size of a locally pinned 9 TB for 8100 8100 and 8600 are physical devices.
volume on physical devices 24 TB for 8600
Maximum number of snapshots of any 256 This includes local snapshots and cloud
type that can be retained per volume snapshots.
Restore and clone recover time for < 2 minutes The volume is made available
tiered volumes within 2 minutes of restore or
clone operation, regardless of
the volume size.
The volume performance may
initially be slower than normal as
most of the data and metadata
still resides in the cloud.
Performance may increase as
data flows from the cloud to the
StorSimple device.
The total time to download
metadata depends on the
allocated volume size. Metadata
is automatically brought into the
device in the background at the
rate of 5 minutes per TB of
allocated volume data. This rate
may be affected by Internet
bandwidth to the cloud.
The restore or clone operation is
complete when all the metadata
is on the device.
Backup operations cannot be
performed until the restore or
clone operation is fully complete.
LIMIT IDENTIFIER LIMIT COMMENTS
Restore recover time for locally pinned < 2 minutes The volume is made available
volumes within 2 minutes of the restore
operation, regardless of the
volume size.
The volume performance may
initially be slower than normal as
most of the data and metadata
still resides in the cloud.
Performance may increase as
data flows from the cloud to the
StorSimple device.
The total time to download
metadata depends on the
allocated volume size. Metadata
is automatically brought into the
device in the background at the
rate of 5 minutes per TB of
allocated volume data. This rate
may be affected by Internet
bandwidth to the cloud.
Unlike tiered volumes, in the
case of locally pinned volumes,
the volume data is also
downloaded locally on the
device. The restore operation is
complete when all the volume
data has been brought to the
device.
The restore operations may be
long and the total time to
complete the restore will depend
on the size of the provisioned
local volume, your Internet
bandwidth and the existing data
on the device. Backup
operations on the locally pinned
volume are allowed while the
restore operation is in progress.
Maximum client read/write throughput 920/720 MB/s with a single 10GbE Up to 2x with MPIO and two network
(when served from the SSD tier)* network interface interfaces.
Maximum client read/write throughput 11/41 MB/s Read throughput depends on clients
(when served from the cloud tier)* generating and maintaining sufficient
I/O queue depth.
* Maximum throughput per I/O type was measured with 100 percent read and 100 percent write scenarios. Actual
throughput may be lower and depends on I/O mix and network conditions.
Log Analytics limits
NOTE
Log Analytics was formerly known as Operational Insights.
Number of paid workspaces per N/A You are limited by the number of
subscription resources within a resource group and
number of resource groups per
subscription
1 When customers reach their 500 MB daily data transfer limit, data analysis stops and resumes at the start of the
next day. A day is based on UTC.
2 The data retention period for the Standalone and OMS pricing plans can be increased to 730 days.
Data Collector API Maximum size for a single post is 30 Split larger volumes into multiple posts
MB Fields longer than 32 KB are truncated.
Maximum size for field values is 32 KB
Search API 5000 records returned for non- Aggregated data is a search that
aggregated data includes the measure command
500000 records for aggregated data
Backup limits
The following limits apply to Azure Backup.
Size of a data source for data stored in Azure vault storage 54400 GB max1
Number of backup vaults that can be created in each Azure 25(Backup vaults)
subscription 25 Recovery Services vault per region
LIMIT IDENTIFIER DEFAULT LIMIT
Number of times backup can be scheduled per day 3 per day for Windows Server/Client
2 per day for SCDPM
Once a day for IaaS VMs
Total data per day 500 GB You can reduce data by setting a cap. If
you need more, mail
AIDataCap@microsoft.com.
Availability multi-step test detailed 90 days This resource provides detailed results
results retention of each step.
For more information, see About pricing and quotas in Application Insights.
API Management limits
RESOURCE LIMIT
Cache 5 GB1
1API Management limits are different foreach pricing tier. To see the pricing tiers and their associated limits and
scaling options, see API Management Pricing.
Azure Redis Cache limits
RESOURCE LIMIT
Databases 64
Azure Redis Cache limits and sizes are different for each pricing tier. To see the pricing tiers and their associated
sizes, see Azure Redis Cache Pricing.
For more information on Azure Redis Cache configuration limits, see Default Redis server configuration.
Because configuration and management of Azure Redis Cache instances is done by Microsoft, not all Redis
commands are supported in Azure Redis Cache. For more information, see Redis commands not supported in
Azure Redis Cache.
Key Vault limits
MAX TRANSACTIONS ALLOWED IN 10 SECONDS, PER VAULT PER
TRANSACTIONS TYPE REGION1
1 There is a subscription-wide limit forall transaction types, that is 5x per key vault limit. For example, HSM- other
transactions per subscription are limited to 5000 transactions in 10 seconds per subscription.
Multi-Factor Authentication
RESOURCE DEFAULT LIMIT MAXIMUM LIMIT
Automation limits
RESOURCE MAXIMUM LIMIT
Job Run Time - Free tier 500 minutes per subscription per calendar month
See also
Understanding Azure Limits and Increases
Virtual Machine and Cloud Service Sizes for Azure
Sizes for Cloud Services
Planning and design for VPN Gateway
6/7/2017 7 min to read Edit Online
Planning and designing your cross-premises and VNet-to-VNet configurations can be either simple, or
complicated, depending on your networking needs. This article walks you through basic planning and design
considerations.
Planning
Cross-premises connectivity options
If you want to connect your on-premises sites securely to a virtual network, you have three different ways to do so:
Site-to-Site, Point-to-Site, and ExpressRoute. Compare the different cross-premises connections that are available.
The option you choose can depend on various considerations, such as:
What kind of throughput does your solution require?
Do you want to communicate over the public Internet via secure VPN, or over a private connection?
Do you have a public IP address available to use?
Are you planning to use a VPN device? If so, is it compatible?
Are you connecting just a few computers, or do you want a persistent connection for your site?
What type of VPN gateway is required for the solution you want to create?
Which gateway SKU should you use?
Planning table
The following table can help you decide the best connectivity option for your solution.
Azure Supported Services Cloud Services and Virtual Cloud Services and Virtual Services list
Machines Machines
Typical Bandwidths Typically < 100 Mbps Typically < 100 Mbps 50 Mbps, 100 Mbps, 200
aggregate aggregate Mbps, 500 Mbps, 1 Gbps, 2
Gbps, 5 Gbps, 10 Gbps
Typical use case Prototyping, dev / test / lab Dev / test / lab scenarios Access to all Azure services
scenarios for cloud services and small scale production (validated list), Enterprise-
and virtual machines workloads for cloud services class and mission critical
and virtual machines workloads, Backup, Big Data,
Azure as a DR site
POINT-TO-SITE SITE-TO-SITE EXPRESSROUTE
Gateway SKUs
Azure offers the following VPN gateway SKUs:
Throughput is based on measurements of multiple tunnels aggregated through a single gateway. It is not a
guaranteed throughput due to Internet traffic conditions and your application behaviors.
Pricing information can be found on the Pricing page.
SLA (Service Level Agreement) information can be found on the SLA page.
Workflow
The following list outlines the common workflow for cloud connectivity:
1. Design and plan your connectivity topology and list the address spaces for all networks you want to connect.
2. Create an Azure virtual network.
3. Create a VPN gateway for the virtual network.
4. Create and configure connections to on-premises networks or other virtual networks (as needed).
5. Create and configure a Point-to-Site connection for your Azure VPN gateway (as needed).
Design
Connection topologies
Start by looking at the diagrams in the About VPN Gateway article. The article contains basic diagrams, the
deployment models for each topology (Resource Manager or classic), and which deployment tools you can use to
deploy your configuration.
Design basics
The following sections discuss the VPN gateway basics. Also, consider networking services limitations.
About subnets
When you are creating connections, you must consider your subnet ranges. You cannot have overlapping subnet
address ranges. An overlapping subnet is when one virtual network or on-premises location contains the same
address space that the other location contains. This means that you need your network engineers for your local on-
premises networks to carve out a range for you to use for your Azure IP addressing space/subnets. You need
address space that is not being used on the local on-premises network.
Avoiding overlapping subnets is also important when you are working with VNet-to-VNet connections. If your
subnets overlap and an IP address exists in both the sending and destination VNets, VNet-to-VNet connections fail.
Azure can't route the data to the other VNet because the destination address is part of the sending VNet.
VPN Gateways require a specific subnet called a gateway subnet. All gateway subnets must be named
GatewaySubnet to work properly. Be sure not to name your gateway subnet a different name, and don't deploy
VMs or anything else to the gateway subnet. See Gateway Subnets.
About local network gateways
The local network gateway typically refers to your on-premises location. In the classic deployment model, the local
network gateway is referred to as a Local Network Site. When you configure a local network gateway, you give it a
name, specify the public IP address of the on-premises VPN device, and specify the address prefixes that are in the
on-premises location. Azure looks at the destination address prefixes for network traffic, consults the configuration
that you have specified for the local network gateway, and routes packets accordingly. You can modify these
address prefixes as needed. For more information, see Local network gateways.
About gateway types
Selecting the correct gateway type for your topology is critical. If you select the wrong type, your gateway won't
work properly. The gateway type specifies how the gateway itself connects and is a required configuration setting
for the Resource Manager deployment model.
The gateway types are:
Vpn
ExpressRoute
About connection types
Each configuration requires a specific connection type. The connection types are:
IPsec
Vnet2Vnet
ExpressRoute
VPNClient
About VPN types
Each configuration requires a specific VPN type. If you are combining two configurations, such as creating a Site-
to-Site connection and a Point-to-Site connection to the same VNet, you must use a VPN type that satisfies both
connection requirements.
PolicyBased: PolicyBased VPNs were previously called static routing gateways in the classic deployment
model. Policy-based VPNs encrypt and direct packets through IPsec tunnels based on the IPsec policies
configured with the combinations of address prefixes between your on-premises network and the Azure
VNet. The policy (or traffic selector) is usually defined as an access list in the VPN device configuration. The
value for a PolicyBased VPN type is PolicyBased. When using a PolicyBased VPN, keep in mind the following
limitations:
PolicyBased VPNs can only be used on the Basic gateway SKU. This VPN type is not compatible with
other gateway SKUs.
You can have only 1 tunnel when using a PolicyBased VPN.
You can only use PolicyBased VPNs for S2S connections, and only for certain configurations. Most VPN
Gateway configurations require a RouteBased VPN.
RouteBased: RouteBased VPNs were previously called dynamic routing gateways in the classic deployment
model. RouteBased VPNs use "routes" in the IP forwarding or routing table to direct packets into their
corresponding tunnel interfaces. The tunnel interfaces then encrypt or decrypt the packets in and out of the
tunnels. The policy (or traffic selector) for RouteBased VPNs are configured as any-to-any (or wild cards). The
value for a RouteBased VPN type is RouteBased.
The following tables show the VPN type as it maps to each connection configuration. Make sure the VPN type for
your gateway matches the configuration that you want to create.
VPN type - Resource Manager deployment model
ROUTEBASED POLICYBASED
DYNAMIC STATIC
Next steps
See the VPN Gateway FAQ and About VPN Gateway articles for more information to help you with your design.
For more information about specific gateway settings, see About VPN Gateway Settings.
About VPN Gateway configuration settings
6/7/2017 9 min to read Edit Online
A VPN gateway is a type of virtual network gateway that sends encrypted traffic between your virtual network and
your on-premises location across a public connection. You can also use a VPN gateway to send traffic between
virtual networks across the Azure backbone.
A VPN gateway connection relies on the configuration of multiple resources, each of which contains configurable
settings. The sections in this article discuss the resources and settings that relate to a VPN gateway for a virtual
network created in Resource Manager deployment model. You can find descriptions and topology diagrams for
each connection solution in the About VPN Gateway article.
Gateway types
Each virtual network can only have one virtual network gateway of each type. When you are creating a virtual
network gateway, you must make sure that the gateway type is correct for your configuration.
The available values for -GatewayType are:
Vpn
ExpressRoute
A VPN gateway requires the -GatewayType Vpn.
Example:
Gateway SKUs
When you create a virtual network gateway, you need to specify the gateway SKU that you want to use. Select the
SKUs that satisfy your requirements based on the types of workloads, throughputs, features, and SLAs.
Azure offers the following VPN gateway SKUs:
Throughput is based on measurements of multiple tunnels aggregated through a single gateway. It is not a
guaranteed throughput due to Internet traffic conditions and your application behaviors.
Pricing information can be found on the Pricing page.
SLA (Service Level Agreement) information can be found on the SLA page.
Production vs. Dev-Test Workloads
Due to the differences in SLAs and feature sets, we recommend the following SKUs for production vs. dev-test:
WORKLOAD SKUS
If you are still using the old SKUs, the production SKU recommendations are Standard and HighPerformance
SKUs. For information on the old SKUs, see Gateway SKUs (old).
Gateway SKU feature sets
The new gateway SKUs streamline the feature sets offered on the gateways:
SKU FEATURES
IMPORTANT
1. You can resize between VpnGw1, VpnGw2, and VpnGw3 SKUs
2. You cannot resize from Basic/Standard/HighPerformance SKUs to the new VpnGw1/VpnGw2/VpnGw3 SKUs
3. For the old SKUs, you can still resize between Basic, Standard, and HighPerformance SKUs
Connection types
In the Resource Manager deployment model, each configuration requires a specific virtual network gateway
connection type. The available Resource Manager PowerShell values for -ConnectionType are:
IPsec
Vnet2Vnet
ExpressRoute
VPNClient
In the following PowerShell example, we create a S2S connection that requires the connection type IPsec.
VPN types
When you create the virtual network gateway for a VPN gateway configuration, you must specify a VPN type. The
VPN type that you choose depends on the connection topology that you want to create. For example, a P2S
connection requires a RouteBased VPN type. A VPN type can also depend on the hardware that you will be using.
S2S configurations require a VPN device. Some VPN devices only support a certain VPN type.
The VPN type you select must satisfy all the connection requirements for the solution you want to create. For
example, if you want to create a S2S VPN gateway connection and a P2S VPN gateway connection for the same
virtual network, you would use VPN type RouteBased because P2S requires a RouteBased VPN type. You would
also need to verify that your VPN device supported a RouteBased VPN connection.
Once a virtual network gateway has been created, you can't change the VPN type. You have to delete the virtual
network gateway and create a new one. There are two VPN types:
PolicyBased: PolicyBased VPNs were previously called static routing gateways in the classic deployment
model. Policy-based VPNs encrypt and direct packets through IPsec tunnels based on the IPsec policies
configured with the combinations of address prefixes between your on-premises network and the Azure
VNet. The policy (or traffic selector) is usually defined as an access list in the VPN device configuration. The
value for a PolicyBased VPN type is PolicyBased. When using a PolicyBased VPN, keep in mind the
following limitations:
PolicyBased VPNs can only be used on the Basic gateway SKU. This VPN type is not compatible with
other gateway SKUs.
You can have only 1 tunnel when using a PolicyBased VPN.
You can only use PolicyBased VPNs for S2S connections, and only for certain configurations. Most VPN
Gateway configurations require a RouteBased VPN.
RouteBased: RouteBased VPNs were previously called dynamic routing gateways in the classic deployment
model. RouteBased VPNs use "routes" in the IP forwarding or routing table to direct packets into their
corresponding tunnel interfaces. The tunnel interfaces then encrypt or decrypt the packets in and out of the
tunnels. The policy (or traffic selector) for RouteBased VPNs are configured as any-to-any (or wild cards). The
value for a RouteBased VPN type is RouteBased.
The following PowerShell example specifies the -VpnType as RouteBased. When you are creating a gateway, you
must make sure that the -VpnType is correct for your configuration.
Gateway requirements
The following table lists the requirements for PolicyBased and RouteBased VPN gateways. This table applies to
both the Resource Manager and classic deployment models. For the classic model, PolicyBased VPN gateways are
the same as Static gateways, and Route-based gateways are the same as Dynamic gateways.
Authentication Pre-shared key Pre-shared key for Pre-shared key for Pre-shared key for
method S2S connectivity, S2S connectivity, S2S connectivity,
Certificates for P2S Certificates for P2S Certificates for P2S
connectivity connectivity connectivity
Maximum number 1 10 10 30
of S2S connections
Gateway subnet
In order to configure a virtual network gateway for your VNet, you'll need to create a gateway subnet. The
gateway subnet contains the IP addresses that the virtual network gateway services use. The gateway subnet must
be named GatewaySubnet to work properly. This name lets Azure know that this subnet should be used for the
gateway.
When you create the gateway subnet, you specify the number of IP addresses that the subnet contains. The IP
addresses in the gateway subnet are allocated to the gateway service. Some configurations require more IP
addresses to be allocated to the gateway service than do others. You want to make sure your gateway subnet
contains enough IP addresses to accommodate future growth and possible additional new connection
configurations. So, while you can create a gateway subnet as small as /29, we recommend that you create a
gateway subnet of /28 or larger (/28, /27, /26 etc.). Look at the requirements for the configuration that you want
to create and verify that the gateway subnet that you have will meet those requirements.
The following Resource Manager PowerShell example shows a gateway subnet named GatewaySubnet. You can
see the CIDR notation specifies a /27, which allows for enough IP addresses for most configurations that currently
exist.
IMPORTANT
When working with gateway subnets, avoid associating a network security group (NSG) to the gateway subnet. Associating
a network security group to this subnet may cause your VPN gateway to stop functioning as expected. For more
information about network security groups, see What is a network security group?
Sometimes you need to modify the local network gateway settings. For example, when you add or modify the
address range, or if the IP address of the VPN device changes. For a classic VNet, you can change these settings in
the classic portal on the Local Networks page. For Resource Manager, see Modify local network gateway settings
using PowerShell.
PowerShell PowerShell
A VPN device is required to configure a Site-to-Site (S2S) cross-premises VPN connection using a VPN
gateway. Site-to-Site connections can be used to create a hybrid solution, or whenever you want secure
connections between your on-premises networks and your virtual networks. This article provides the list of
IPsec/IKE parameters for Azure VPN gateways, and a list of validated VPN devices connecting to Azure VPN
gateways.
IMPORTANT
If you are experiencing connectivity issues between your on-premises VPN devices and Azure VPN gateways, refer to
Known device compatibility issues.
NOTE
When configuring a Site-to-Site connection, a public-facing IPv4 IP address is required for your VPN device.
POLICYBASED ROUTEBASED
MINIMUM OS CONFIGURATION CONFIGURATION
VENDOR DEVICE FAMILY VERSION INSTRUCTIONS INSTRUCTIONS
A10 Networks, Inc. Thunder CFW ACOS 4.1.1 Not Compatible Configuration guide
Barracuda Networks, Barracuda NextGen PolicyBased: 5.4.3 Configuration guide Configuration guide
Inc. Firewall F-series RouteBased: 6.2.0
Barracuda Networks, Barracuda NextGen Barracuda Firewall Configuration guide Not compatible
Inc. Firewall X-series 6.5
Brocade Vyatta 5400 vRouter Virtual Router 6.6R3 Configuration guide Not compatible
GA
Citrix NetScaler MPX, SDX, 10.1 and above Configuration guide Not compatible
VPX
Internet Initiative SEIL Series SEIL/X 4.60 Configuration guide Not compatible
Japan (IIJ) SEIL/B1 4.60
SEIL/x86 3.20
Palo Alto Networks All devices running PAN-OS Configuration guide Configuration guide
PAN-OS PolicyBased: 6.1.5 or
later
RouteBased: 7.1.4
SonicWall TZ Series, NSA Series SonicOS 5.8.x Configuration guide Configuration guide
SuperMassive Series SonicOS 5.9.x for SonicOS 6.2 for SonicOS 6.2
E-Class NSA Series SonicOS 6.x Configuration guide Configuration guide
for SonicOS 5.9 for SonicOS 5.9
IPsec/IKE parameters
NOTE
Although the values listed in the following table are supported by the Azure VPN Gateway, currently there is no
mechanism for you to specify or select a specific combination of algorithms or parameters from the Azure VPN Gateway.
You must specify any constraints from the on-premises VPN device. In addition, you must clamp MSS at 1350.
8 AES256 SHA1 1
9 AES256 SHA1 2
10 AES256 SHA1 14
11 AES128 SHA1 1
12 AES128 SHA1 2
13 AES128 SHA1 14
14 3DES SHA1 1
15 3DES SHA1 2
16 3DES SHA256 2
17 AES256 SHA256 1
18 AES256 SHA256 2
19 AES256 SHA256 14
20 AES256 SHA1 24
21 AES256 SHA256 24
23 AES128 SHA256 1
24 AES128 SHA256 2
25 AES128 SHA256 14
26 3DES SHA1 14
You can specify IPsec ESP NULL encryption with RouteBased and High Performance VPN gateways. Null
based encryption does not provide protection to data in transit, and should only be used when maximum
throughput and minimum latency is required. Clients may choose to use this in VNet-to-VNet
communication scenarios, or when encryption is being applied elsewhere in the solution.
For cross-premises connectivity through the Internet, use the default Azure VPN gateway settings with
encryption and hashing algorithms listed in the tables above to ensure security of your critical
communication.
This article discuss how you can configure Azure VPN gateways to satisfy your cryptographic requirements for
both cross-premises S2S VPN tunnels and VNet-to-VNet connections within Azure.
About IPsec and IKE policy parameters for Azure VPN gateways
IPsec and IKE protocol standard supports a wide range of cryptographic algorithms in various combinations. If
customers do not request a specific combination of cryptographic alrogithms and parameters, Azure VPN
gateways use a set of default proposals. The default policy sets were chosen to maximize interoperability with a
wide range of third party VPN devices in default configurations. As a result, the policies and the number of
proposals cannot cover all possible combinations of available cryptographic algorithms and key strengths.
The default policy set for Azure VPN gateway is listed in the document: About VPN devices and IPsec/IKE
parameters for Site-to-Site VPN Gateway connections.
Cryptographic requirements
For communications that require specific cryptographic algorithms or parameters, typically due to compliance or
security requirements, customers can now configure their Azure VPN gateways to use a custom IPsec/IKE policy
with specific cryptographic algorithms and key strengths, rather than the Azure default policy sets.
For example, the IKEv2 main mode policies for Azure VPN gateways utilize only Diffie-Hellman Group 2 (1024bits),
whereas customers may need to specify stronger groups to be used in IKE, such as Group 14 (2048-bit), Group 24
(2048-bit MODP Group), or ECP (elliptic curve groups) 256 or 384 bit (Group 19 and Group 20, respectively).
Similar requirements apply to IPsec quick mode policies as well.
You can create an IPsec/IKE policy and apply to a new or existing connection. The workflow is listed below:
1. Create the virtual networks, VPN gateways, or local network gateways for your connectivity topology as
described in other how-to documents
2. Create an IPsec/IKE policy
3. You can apply the policy when you create a S2S or VNet-to-VNet connection
4. If the connection is already created, you can apply or update the policy to an existing connection
IPsec/IKE policy FAQ
Is Custom IPsec/IKE policy supported on all Azure VPN Gateway SKUs?
Custom IPsec/IKE policy is supported on Azure Standard and HighPerformance VPN gateways. Basic SKU is
NOT supported.
How many policies can I specify on a connection?
You can only specify one policy combination for a given connection.
Can I specify a partial policy on a connection? (E.g., only IKE algorithms but not IPsec)
No, you must specify all algorithms and parameters for both IKE (Main Mode) and IPsec (Quick Mode). Partial
policy specification is not allowed.
What are the algorithms and key strengths supported in the custom policy?
The table below lists the supported cryptographic algorithms and key strengths configurable by the customers.
You must select one option for every field.
IPSEC/IKEV2 OPTIONS
PFS Group ECP384, ECP256, PFS24, PFS2048, PFS14, PFS2, PFS1, None
(*) IKEv2 Main Mode SA lifetime is fixed at 28,800 seconds on the Azure VPN gateways
(**) Please see the next FAQ item for "UsePolicyBasedTrafficSelectors"
Does everything need to match between the Azure VPN gateway policy and my on-premises VPN device
configurations?
Your on-premises VPN device configuration must match or contain the following algorithms and parameters that
you specify on the Azure IPsec/IKE policy:
IKE encryption algorithm
IKE integrity algorithm
DH Group
IPsec encryption algorithm
IPsec integrity algorithm
PFS Group
Traffic Selector (*)
The SA lifetimes are local specifications only, do not need to match.
If you enable UsePolicyBasedTrafficSelectors, you need to ensure your VPN device has the matching traffic
selectors defined with all combinations of your on-premises network (local network gateway) prefixes to/from the
Azure virtual network prefixes, instead of any-to-any. For example, if your on-premises network prefixes are
10.1.0.0/16 and 10.2.0.0/16, and your virtual network prefixes are 192.168.0.0/16 and 172.16.0.0/16, you need to
specify the following traffic selectors:
10.1.0.0/16 <====> 192.168.0.0/16
10.1.0.0/16 <====> 172.16.0.0/16
10.2.0.0/16 <====> 192.168.0.0/16
10.2.0.0/16 <====> 172.16.0.0/16
Refer to Connect multiple on-premises policy-based VPN devices for more details on how to use this option.
Does the custom policy replace the default IPsec/IKE policy sets for Azure VPN gateways?
Yes, once a custom policy is specified on a connection, Azure VPN gateway will only use the policy on the
connection, both as IKE initiator and IKE responder.
If I remove a custom IPsec/IKE policy, does the connection become unprotected?
No, the connection will still be protected by IPsec/IKE. Once you remove the custom policy from a connection, the
Azure VPN gateway will revert back to the default list of IPsec/IKE proposals and re-start the IKE handshake again
with your on-premises VPN device.
Would adding or updating an IPsec/IKE policy disrupt my VPN connection?
Yes, it could cause a small disruption (a few seconds) as the Azure VPN gateway will tear down the existing
connection and re-start the IKE handshake to re-establish the IPsec tunnel with the new cryptographic algorithms
and parameters. Please ensure your on-premises VPN device is also configured with the matching algorithms and
key strengths to minimize the disruption.
Can I use different policies on different connections?
Yes. Custom policy is applied on a per-connection basis. You can create and apply different IPsec/IKE policies on
different connections. You can also choose to apply custom policies on a subset of connections. The remaining
ones will use the Azure default IPsec/IKE policy sets.
Can I use the custom policy on VNet-to -VNet connection as well?
Yes, you can apply custom policy on both IPsec cross-premises connections or VNet-to-VNet connections.
Do I need to specify the same policy on both VNet-to -VNet connection resources?
Yes. A VNet-to-VNet tunnel consists of two connection resources in Azure, one for each direction. You need to
ensure both connection resources have the same policy, othereise the VNet-to-VNet connection will not establish.
Does custom IPsec/IKE policy work on ExpressRoute connection?
No. IPsec/IKE policy only works on S2S VPN and VNet-to-VNet connections via the Azure VPN gateways.
Next steps
See Configure IPsec/IKE policy for step-by-step instructions on configuring custom IPsec/IKE policy on a
connection.
See also Connect multiple policy-based VPN devices to learn more about the UsePolicyBasedTrafficSelectors
option.
Overview of BGP with Azure VPN Gateways
1/17/2017 7 min to read Edit Online
This article provides an overview of BGP (Border Gateway Protocol) support in Azure VPN Gateways.
BGP is the standard routing protocol commonly used in the Internet to exchange routing and reachability
information between two or more networks. When used in the context of Azure Virtual Networks, BGP enables the
Azure VPN Gateways and your on-premises VPN devices, called BGP peers or neighbors, to exchange "routes" that
will inform both gateways on the availability and reachability for those prefixes to go through the gateways or
routers involved. BGP can also enable transit routing among multiple networks by propagating routes a BGP
gateway learns from one BGP peer to all other BGP peers.
Support transit routing between your on-premises networks and multiple Azure VNets
BGP enables multiple gateways to learn and propagate prefixes from different networks, whether they are directly
or indirectly connected. This can enable transit routing with Azure VPN gateways between your on-premises sites
or across multiple Azure Virtual Networks.
The following diagram shows an example of a multi-hop topology with multiple paths that can transit traffic
between the two on-premises networks through Azure VPN gateways within the Microsoft Networks:
BGP FAQ
Is BGP supported on all Azure VPN Gateway SKUs?
No, BGP is supported on Azure Standard and HighPerformance VPN gateways. Basic SKU is NOT supported.
Can I use BGP with Azure Policy-Based VPN gateways?
No, BGP is supported on Route-Based VPN gateways only.
Can I use private ASNs (Autonomous System Numbers)?
Yes, you can use your own public ASNs or private ASNs for both your on-premises networks and Azure virtual
networks.
Are there ASNs reserved by Azure?
Yes, the following ASNs are reserved by Azure for both internal and external peerings:
Public ASNs: 8075, 8076, 12076
Private ASNs: 65515, 65517, 65518, 65519, 65520
You cannot specify these ASNs for your on premises VPN devices when connecting to Azure VPN gateways.
Can I use the same ASN for both on-premises VPN networks and Azure VNets?
No, you must assign different ASNs between your on-premises networks and your Azure VNets if you are
connecting them together with BGP. Azure VPN Gateways have a default ASN of 65515 assigned, whether BGP is
enabled or not for your cross-premises connectivity. You can override this default by assigning a different ASN
when creating the VPN gateway, or change the ASN after the gateway is created. You will need to assign your on-
premises ASNs to the corresponding Azure Local Network Gateways.
What address prefixes will Azure VPN gateways advertise to me?
Azure VPN gateway will advertise the following routes to your on-premises BGP devices:
Your VNet address prefixes
Address prefixes for each Local Network Gateways connected to the Azure VPN gateway
Routes learned from other BGP peering sessions connected to the Azure VPN gateway, except default route
or routes overlapped with any VNet prefix.
Can I advertise default route (0.0.0.0/0) to Azure VPN gateways?
Yes.
Please note this will force all VNet egress traffic towards your on-premises site, and will prevent the VNet VMs
from accepting public communication from the Internet directly, such RDP or SSH from the Internet to the VMs.
Can I advertise the exact prefixes as my Virtual Network prefixes?
No, advertising the same prefixes as any one of your Virtual Network address prefixes will be blocked or filtered by
the Azure platform. However you can advertise a prefix that is a superset of what you have inside your Virtual
Network.
For example, if your virtual network used the address space 10.0.0.0/16, you could advertise 10.0.0.0/8. But you
cannot advertise 10.0.0.0/16 or 10.0.0.0/24.
Can I use BGP with my VNet-to -VNet connections?
Yes, you can use BGP for both cross-premises connections and VNet-to-VNet connections.
Can I mix BGP with non-BGP connections for my Azure VPN gateways?
Yes, you can mix both BGP and non-BGP connections for the same Azure VPN gateway.
Does Azure VPN gateway support BGP transit routing?
Yes, BGP transit routing is supported, with the exception that Azure VPN gateways will NOT advertise default
routes to other BGP peers. To enable transit routing across multiple Azure VPN gateways, you must enable BGP on
all intermediate VNet-to-VNet connections.
Can I have more than one tunnel between Azure VPN gateway and my on-premises network?
Yes, you can establish more than one S2S VPN tunnel between an Azure VPN gateway and your on-premises
network. Please note that all these tunnels will be counted against the total number of tunnels for your Azure VPN
gateways and you must enable BGP on both tunnels.
For example, if you have two redundant tunnels between your Azure VPN gateway and one of your on-premises
networks, they will consume 2 tunnels out of the total quota for your Azure VPN gateway (10 for Standard and 30
for HighPerformance).
Can I have multiple tunnels between two Azure VNets with BGP?
Yes, but at least one of the virtual network gateways must be in active-active configuration.
Can I use BGP for S2S VPN in an ExpressRoute/S2S VPN co -existence configuration?
Yes.
What address does Azure VPN gateway use for BGP Peer IP?
The Azure VPN gateway will allocate a single IP address from the GatewaySubnet range defined for the virtual
network. By default, it is the second last address of the range. For example, if your GatewaySubnet is
10.12.255.0/27, ranging from 10.12.255.0 to 10.12.255.31, the BGP Peer IP address on the Azure VPN gateway will
be 10.12.255.30. You can find this information when you list the Azure VPN gateway information.
What are the requirements for the BGP Peer IP addresses on my VPN device?
Your on-premises BGP peer address MUST NOT be the same as the public IP address of your VPN device. Use a
different IP address on the VPN device for your BGP Peer IP. It can be an address assigned to the loopback
interface on the device. Specify this address in the corresponding Local Network Gateway representing the
location.
What should I specify as my address prefixes for the Local Network Gateway when I use BGP?
Azure Local Network Gateway specifies the initial address prefixes for the on-premises network. With BGP, you
must allocate the host prefix (/32 prefix) of your BGP Peer IP address as the address space for that on-premises
network. If your BGP Peer IP is 10.52.255.254, you should specify "10.52.255.254/32" as the
localNetworkAddressSpace of the Local Network Gateway representing this on-premises network. This is to ensure
that the Azure VPN gateway establishes the BGP session through the S2S VPN tunnel.
What should I add to my on-premises VPN device for the BGP peering session?
You should add a host route of the Azure BGP Peer IP address on your VPN device pointing to the IPsec S2S VPN
tunnel. For example, if the Azure VPN Peer IP is "10.12.255.30", you should add a host route for "10.12.255.30"
with a nexthop interface of the matching IPsec tunnel interface on your VPN device.
Next steps
See Getting started with BGP on Azure VPN gateways for steps to configure BGP for your cross-premises and
VNet-to-VNet connections.
Highly Available Cross-Premises and VNet-to-VNet
Connectivity
1/17/2017 5 min to read Edit Online
This article provides an overview of Highly Available configuration options for your cross-premises and VNet-to-
VNet connectivity using Azure VPN gateways.
This configuration provides multiple active tunnels from the same Azure VPN gateway to your on-premises devices
in the same location. There are some requirements and constraints:
1. You need to create multiple S2S VPN connections from your VPN devices to Azure. When you connect multiple
VPN devices from the same on-premises network to Azure, you need to create one local network gateway for
each VPN device, and one connection from your Azure VPN gateway to the local network gateway.
2. The local network gateways corresponding to your VPN devices must have unique public IP addresses in the
"GatewayIpAddress" property.
3. BGP is required for this configuration. Each local network gateway representing a VPN device must have a
unique BGP peer IP address specified in the "BgpPeerIpAddress" property.
4. The AddressPrefix property field in each local network gateway must not overlap. You should specify the
"BgpPeerIpAddress" in /32 CIDR format in the AddressPrefix field, for example, 10.200.200.254/32.
5. You should use BGP to advertise the same prefixes of the same on-premises network prefixes to your Azure
VPN gateway, and the traffic will be forwarded through these tunnels simultaneously.
6. Each connection is counted against the maximum number of tunnels for your Azure VPN gateway, 10 for Basic
and Standard SKUs, and 30 for HighPerformance SKU.
In this configuration, the Azure VPN gateway is still in active-standby mode, so the same failover behavior and brief
interruption will still happen as described above. But this setup guards against failures or interruptions on your on-
premises network and VPN devices.
Active -active Azure VPN gateway
You can now create an Azure VPN gateway in an active-active configuration, where both instances of the gateway
VMs will establish S2S VPN tunnels to your on-premises VPN device, as shown the following diagram:
In this configuration, each Azure gateway instance will have a unique public IP address, and each will establish an
IPsec/IKE S2S VPN tunnel to your on-premises VPN device specified in your local network gateway and connection.
Note that both VPN tunnels are actually part of the same connection. You will still need to configure your on-
premises VPN device to accept or establish two S2S VPN tunnels to those two Azure VPN gateway public IP
addresses.
Because the Azure gateway instances are in active-active configuration, the traffic from your Azure virtual network
to your on-premises network will be routed through both tunnels simultaneously, even if your on-premises VPN
device may favor one tunnel over the other. Note though the same TCP or UDP flow will always traverse the same
tunnel or path, unless a maintenance event happens on one of the instances.
When a planned maintenance or unplanned event happens to one gateway instance, the IPsec tunnel from that
instance to your on-premises VPN device will be disconnected. The corresponding routes on your VPN devices
should be removed or withdrawn automatically so that the traffic will be switched over to the other active IPsec
tunnel. On the Azure side, the switch over will happen automatically from the affected instance to the active
instance.
Dual-redundancy: active -active VPN gateways for both Azure and on-premises networks
The most reliable option is to combine the active-active gateways on both your network and Azure, as shown in the
diagram below.
Here you create and setup the Azure VPN gateway in an active-active configuration, and create two local network
gateways and two connections for your two on-premises VPN devices as described above. The result is a full mesh
connectivity of 4 IPsec tunnels between your Azure virtual network and your on-premises network.
All gateways and tunnels are active from the Azure side, so the traffic will be spread among all 4 tunnels
simultaneously, although each TCP or UDP flow will again follow the same tunnel or path from the Azure side. Even
though by spreading the traffic, you may see slightly better throughput over the IPsec tunnels, the primary goal of
this configuration is for high availability. And due to the statistical nature of the spreading, it is difficult to provide
the measurement on how different application traffic conditions will affect the aggregate throughput.
This topology will require two local network gateways and two connections to support the pair of on-premises VPN
devices, and BGP is required to allow the two connections to the same on-premises network. These requirements
are the same as the above.
This ensures there are always a pair of tunnels between the two virtual networks for any planned maintenance
events, providing even better availability. Even though the same topology for cross-premises connectivity requires
two connections, the VNet-to-VNet topology shown above will need only one connection for each gateway.
Additionally, BGP is optional unless transit routing over the VNet-to-VNet connection is required.
Next steps
See Configuring Active-Active VPN Gateways for Cross-Premises and VNet-to-VNet Connections for steps to
configure active-active cross-premises and VNet-to-VNet connections.
Create a Site-to-Site connection in the Azure portal
6/2/2017 15 min to read Edit Online
This article shows you how to use the Azure portal to create a Site-to-Site VPN gateway connection from your on-
premises network to the VNet. The steps in this article apply to the Resource Manager deployment model. You
can also create this configuration using a different deployment tool or deployment model by selecting a different
option from the following list:
A Site-to-Site VPN gateway connection is used to connect your on-premises network to an Azure virtual network
over an IPsec/IKE (IKEv1 or IKEv2) VPN tunnel. This type of connection requires a VPN device located on-premises
that has an externally facing public IP address assigned to it. For more information about VPN gateways, see
About VPN gateway.
4. The Name for your subnet will automatically be filled in with the value 'GatewaySubnet'. This value is
required in order for Azure to recognize the subnet as the GatewaySubnet. Adjust the auto-filled Address
range values to match your configuration requirements.
5. Click OK at the bottom of the blade to create the subnet.
3. On the Create virtual network gateway blade, specify the values for your virtual network gateway.
Name: Name your gateway. This is not the same as naming a gateway subnet. It's the name of the
gateway object you are creating.
Gateway type: Select VPN. VPN gateways use the virtual network gateway type VPN.
VPN type: Select the VPN type that is specified for your configuration. Most configurations require a
Route-based VPN type.
SKU: Select the gateway SKU from the dropdown. The SKUs listed in the dropdown depend on the VPN
type you select. For more information about gateway SKUs, see Gateway SKUs.
Location: You may need to scroll to see Location. Adjust the Location field to point to the location
where your virtual network is located. If the location is not pointing to the region where your virtual
network resides, the virtual network will not appear in the next step 'Choose a virtual network'
dropdown.
Virtual network: Choose the virtual network to which you want to add this gateway. Click Virtual
network to open the 'Choose a virtual network' blade. Select the VNet. If you don't see your VNet,
make sure the Location field is pointing to the region in which your virtual network is located.
Public IP address: The 'Create public IP address' blade creates a public IP address object. The
public IP address is dynamically assigned when the VPN gateway is created. VPN Gateway currently
only supports Dynamic Public IP address allocation. However, this does not mean that the IP
address changes after it has been assigned to your VPN gateway. The only time the Public IP
address changes is when the gateway is deleted and re-created. It doesn't change across resizing,
resetting, or other internal maintenance/upgrades of your VPN gateway.
First, click Public IP address to open the 'Choose public IP address' blade, then click +Create
New to open the 'Create public IP address' blade.
Next, input a Name for your public IP address, then click OK at the bottom of this blade to
save your changes.
4. Verify the settings. You can select Pin to dashboard at the bottom of the blade if you want your gateway
to appear on the dashboard.
5. Click Create to begin creating the VPN gateway. The settings will be validated and you'll see the "Deploying
Virtual network gateway" tile on the dashboard. Creating a gateway can take up to 45 minutes. You may need
to refresh your portal page to see the completed status.
After the gateway is created, view the IP address that has been assigned to it by looking at the virtual network in
the portal. The gateway will appear as a connected device. You can click the connected device (your virtual
network gateway) to view more information.
3. On the Add connection blade, fill in the values to create your connection.
Name: Name your connection. We use VNet1toSite2 in our example.
Connection type: Select Site-to-site(IPSec).
Virtual network gateway: The value is fixed because you are connecting from this gateway.
Local network gateway: Click Choose a local network gateway and select the local network
gateway that you want to use. In our example, we use Site2.
Shared Key: the value here must match the value that you are using for your local on-premises VPN
device. In the example, we used 'abc123', but you can (and should) use something more complex. The
important thing is that the value you specify here must be the same value that you specified when
configuring your VPN device.
The remaining values for Subscription, Resource Group, and Location are fixed.
4. Click OK to create your connection. You'll see Creating Connection flash on the screen.
5. You can view the connection in the Connections blade of the virtual network gateway. The Status will go
from Unknown to Connecting, and then to Succeeded.
$VMs = Get-AzureRmVM
$Nics = Get-AzureRmNetworkInterface | Where VirtualMachine -ne $null
foreach($Nic in $Nics)
{
$VM = $VMs | Where-Object -Property Id -eq $Nic.VirtualMachine.Id
$Prv = $Nic.IpConfigurations | Select-Object -ExpandProperty PrivateIpAddress
$Alloc = $Nic.IpConfigurations | Select-Object -ExpandProperty PrivateIpAllocationMethod
Write-Output "$($VM.Name): $Prv,$Alloc"
}
2. Verify that you are connected to your VNet using the VPN connection.
3. Open Remote Desktop Connection by typing "RDP" or "Remote Desktop Connection" in the search box on
the taskbar, then select Remote Desktop Connection. You can also open Remote Desktop Connection using
the 'mstsc' command in PowerShell.
4. In Remote Desktop Connection, enter the private IP address of the VM. You can click "Show Options" to adjust
additional settings, then connect.
To troubleshoot an RDP connection to a VM
If you are having trouble connecting to a virtual machine over your VPN connection, check the following:
Verify that your VPN connection is successful.
Verify that you are connecting to the private IP address for the VM.
If you can connect to the VM using the private IP address, but not the computer name, verify that you have
configured DNS properly. For more information about how name resolution works for VMs, see Name
Resolution for VMs.
For more information about RDP connections, see Troubleshoot Remote Desktop connections to a VM.
Next steps
For information about BGP, see the BGP Overview and How to configure BGP.
For information about Forced Tunneling, see About Forced Tunneling
For information about Highly Available Active-Active connections, see Highly Available cross-premises and
VNet-to-VNet connectivity.
Create a VNet with a Site-to-Site VPN connection
using PowerShell
6/6/2017 15 min to read Edit Online
This article shows you how to use PowerShell to create a Site-to-Site VPN gateway connection from your on-
premises network to the VNet. The steps in this article apply to the Resource Manager deployment model. You can
also create this configuration using a different deployment tool or deployment model by selecting a different
option from the following list:
A Site-to-Site VPN gateway connection is used to connect your on-premises network to an Azure virtual network
over an IPsec/IKE (IKEv1 or IKEv2) VPN tunnel. This type of connection requires a VPN device located on-premises
that has an externally facing public IP address assigned to it. For more information about VPN gateways, see
About VPN gateway.
VnetName = testvnet
ResourceGroup = testrg
Location = West US
AddressSpace = 10.0.0.0/16
SubnetName = Subnet1
Subnet = 10.0.1.0/28
GatewaySubnet = 10.0.0.0/27
LocalNetworkGatewayName = LocalSite
LNG Public IP = <VPN device IP address>
Local Address Prefixes = 10.0.0.0/24','20.0.0.0/24
Gateway Name = vnetgw1
PublicIP = gwpip
Gateway IP Config = gwipconfig1
VPNType = RouteBased
GatewayType = Vpn
ConnectionName = myGWConnection
Login-AzureRmAccount
If you have multiple Azure subscriptions, check the subscriptions for the account.
Get-AzureRmSubscription
$gwpip= New-AzureRmPublicIpAddress -Name gwpip -ResourceGroupName testrg -Location 'West US' -AllocationMethod
Dynamic
2. After the cmdlet has finished, view the values. In the example below, the connection status shows as
'Connected' and you can see ingress and egress bytes.
"connectionStatus": "Connected",
"ingressBytesTransferred": 33509044,
"egressBytesTransferred": 4142431
$VMs = Get-AzureRmVM
$Nics = Get-AzureRmNetworkInterface | Where VirtualMachine -ne $null
foreach($Nic in $Nics)
{
$VM = $VMs | Where-Object -Property Id -eq $Nic.VirtualMachine.Id
$Prv = $Nic.IpConfigurations | Select-Object -ExpandProperty PrivateIpAddress
$Alloc = $Nic.IpConfigurations | Select-Object -ExpandProperty PrivateIpAllocationMethod
Write-Output "$($VM.Name): $Prv,$Alloc"
}
2. Verify that you are connected to your VNet using the VPN connection.
3. Open Remote Desktop Connection by typing "RDP" or "Remote Desktop Connection" in the search box on
the taskbar, then select Remote Desktop Connection. You can also open Remote Desktop Connection using the
'mstsc' command in PowerShell.
4. In Remote Desktop Connection, enter the private IP address of the VM. You can click "Show Options" to adjust
additional settings, then connect.
To troubleshoot an RDP connection to a VM
If you are having trouble connecting to a virtual machine over your VPN connection, check the following:
Verify that your VPN connection is successful.
Verify that you are connecting to the private IP address for the VM.
If you can connect to the VM using the private IP address, but not the computer name, verify that you have
configured DNS properly. For more information about how name resolution works for VMs, see Name
Resolution for VMs.
For more information about RDP connections, see Troubleshoot Remote Desktop connections to a VM.
3. Create the connection. In this example, we configure an IPsec connection type. When you recreate your
connection, use the connection type that is specified for your configuration. For additional connection types,
see the PowerShell cmdlet page.
Set the variable for the VirtualNetworkGateway.
Create the connection. This example uses the variable $local that you set in step 2.
2. Modify the 'GatewayIpAddress' value. You can also modify the address prefixes at the same time. Be sure to
use the existing name of your local network gateway to overwrite the current settings. If you don't, you
create a new local network gateway, instead of overwriting the existing one.
New-AzureRmLocalNetworkGateway -Name MyLocalNetworkGWName `
-Location "West US" -AddressPrefix @('10.0.0.0/24','20.0.0.0/24','30.0.0.0/24') `
-GatewayIpAddress "104.40.81.124" -ResourceGroupName MyRGName
3. Create the connection. In this example, we configure an IPsec connection type. When you recreate your
connection, use the connection type that is specified for your configuration. For additional connection types,
see the PowerShell cmdlet page. To obtain the VirtualNetworkGateway name, you can run the 'Get-
AzureRmVirtualNetworkGateway' cmdlet.
Set the variables.
Next steps
Once your connection is complete, you can add virtual machines to your virtual networks. For more
information, see Virtual Machines.
For information about BGP, see the BGP Overview and How to configure BGP.
Create a virtual network with a Site-to-Site VPN
connection using CLI
6/6/2017 13 min to read Edit Online
This article shows you how to use the Azure CLI to create a Site-to-Site VPN gateway connection from your on-
premises network to the VNet. The steps in this article apply to the Resource Manager deployment model. You can
also create this configuration using a different deployment tool or deployment model by selecting a different
option from the following list:
A Site-to-Site VPN gateway connection is used to connect your on-premises network to an Azure virtual network
over an IPsec/IKE (IKEv1 or IKEv2) VPN tunnel. This type of connection requires a VPN device located on-premises
that has an externally facing public IP address assigned to it. For more information about VPN gateways, see About
VPN gateway.
VnetName = TestVNet1
ResourceGroup = TestRG1
Location = eastus
AddressSpace = 10.12.0.0/16
SubnetName = Subnet1
Subnet = 10.12.0.0/24
GatewaySubnet = 10.12.255.0/27
LocalNetworkGatewayName = Site2
LNG Public IP = <VPN device IP address>
LocalAddrPrefix1 = 10.0.0.0/24
LocalAddrPrefix2 = 20.0.0.0/24
GatewayName = VNet1GW
PublicIP = VNet1GWIP
VPNType = RouteBased
GatewayType = Vpn
ConnectionName = VNet1toSite2
az login
If you have more than one Azure subscription, list the subscriptions for the account.
az network vnet create --name TestVNet1 --resource-group TestRG1 --address-prefix 10.12.0.0/16 --location
eastus --subnet-name Subnet1 --subnet-prefix 10.12.0.0/24
4. Create the gateway subnet
IMPORTANT
When working with gateway subnets, avoid associating a network security group (NSG) to the gateway subnet. Associating
a network security group to this subnet may cause your VPN gateway to stop functioning as expected. For more
information about network security groups, see What is a network security group?
For this configuration, you also need a gateway subnet. The virtual network gateway uses a gateway subnet that
contains the IP addresses that are used by the VPN gateway services. When you create a gateway subnet, it must
be named 'GatewaySubnet'. If you name it something else, you create a subnet, but Azure won't treat it as a
gateway subnet.
The size of the gateway subnet that you specify depends on the VPN gateway configuration that you want to
create. While it is possible to create a gateway subnet as small as /29, we recommend that you create a larger
subnet that includes more addresses by selecting /27 or /28. Using a larger gateway subnet allows for enough IP
addresses to accommodate possible future configurations.
Use the az network vnet subnet create command to create the gateway subnet.
az network vnet subnet create --address-prefix 10.12.255.0/27 --name GatewaySubnet --resource-group TestRG1 --
vnet-name TestVNet1
az network vnet-gateway create --name VNet1GW --public-ip-address VNet1GWIP --resource-group TestRG1 --vnet
TestVNet1 --gateway-type Vpn --vpn-type RouteBased --sku Standard --no-wait
az network vpn-connection create --name VNet1toSite2 -resource-group TestRG1 --vnet-gateway1 VNet1GW -l eastus
--shared-key abc123 --local-gateway2 Site2
If you want to use another method to verify your connection, see Verify a VPN Gateway connection.
$VMs = Get-AzureRmVM
$Nics = Get-AzureRmNetworkInterface | Where VirtualMachine -ne $null
foreach($Nic in $Nics)
{
$VM = $VMs | Where-Object -Property Id -eq $Nic.VirtualMachine.Id
$Prv = $Nic.IpConfigurations | Select-Object -ExpandProperty PrivateIpAddress
$Alloc = $Nic.IpConfigurations | Select-Object -ExpandProperty PrivateIpAllocationMethod
Write-Output "$($VM.Name): $Prv,$Alloc"
}
2. Verify that you are connected to your VNet using the VPN connection.
3. Open Remote Desktop Connection by typing "RDP" or "Remote Desktop Connection" in the search box on
the taskbar, then select Remote Desktop Connection. You can also open Remote Desktop Connection using the
'mstsc' command in PowerShell.
4. In Remote Desktop Connection, enter the private IP address of the VM. You can click "Show Options" to adjust
additional settings, then connect.
To troubleshoot an RDP connection to a VM
If you are having trouble connecting to a virtual machine over your VPN connection, check the following:
Verify that your VPN connection is successful.
Verify that you are connecting to the private IP address for the VM.
If you can connect to the VM using the private IP address, but not the computer name, verify that you have
configured DNS properly. For more information about how name resolution works for VMs, see Name
Resolution for VMs.
For more information about RDP connections, see Troubleshoot Remote Desktop connections to a VM.
Common tasks
This section contains common commands that are helpful when working with site-to-site configurations. For the
full list of CLI networking commands, see Azure CLI - Networking.
To view local network gateways
To view a list of the local network gateways, use the az network local-gateway list command.
"gatewayIpAddress": "23.99.222.170",
Next steps
Once your connection is complete, you can add virtual machines to your virtual networks. For more
information, see Virtual Machines.
For information about BGP, see the BGP Overview and How to configure BGP.
For information about forced tunneling, see Configure forced tunneling.
For a list of networking Azure CLI commands, see Azure CLI.
Create a Site-to-Site connection using the Azure
portal (classic)
5/8/2017 11 min to read Edit Online
This article shows you how to use the Azure portal to create a Site-to-Site VPN gateway connection from your on-
premises network to the VNet. The steps in this article apply to the classic deployment model. You can also create
this configuration using a different deployment tool or deployment model by selecting a different option from the
following list:
A Site-to-Site VPN gateway connection is used to connect your on-premises network to an Azure virtual network
over an IPsec/IKE (IKEv1 or IKEv2) VPN tunnel. This type of connection requires a VPN device located on-premises
that has an externally facing public IP address assigned to it. For more information about VPN gateways, see
About VPN gateway.
3. Near the bottom of the Virtual Network blade, from the Select a deployment model list, select Classic,
and then click Create.
4. On the Create virtual network blade, configure the VNet settings. In this blade, you add your first address
space and a single subnet address range. After you finish creating the VNet, you can go back and add
additional subnets and address spaces.
5. Verify that the Subscription is the correct one. You can change subscriptions by using the drop-down.
6. Click Resource group and either select an existing resource group, or create a new one by typing a name for
your new resource group. For more information about resource groups, visit Azure Resource Manager
Overview.
7. Next, select the Location settings for your VNet. The location determines where the resources that you deploy
to this VNet will reside.
8. Select Pin to dashboard if you want to be able to find your VNet easily on the dashboard, and then click
Create.
9. After clicking 'Create', a tile appears on the dashboard that reflects the progress of your VNet. The tile
changes as the VNet is being created.
Once your virtual network has been created, you will see Created listed under Status on the networks page in the
Azure classic portal.
4. On the Add subnet blade, add the gateway subnet. The size of the gateway subnet that you specify
depends on the VPN gateway configuration that you want to create. While it is possible to create a gateway
subnet as small as /29, we recommend that you create a larger subnet that includes more addresses by
selecting /27 or /28. Using the larger gateway subnet allows for enough IP addresses to accommodate
possible future configurations.
NOTE
Currently, this step is not available in the Azure portal. You must use the Service Management (SM) version of the Azure
PowerShell cmdlets.
Login-AzureRmAccount
Get-AzureRmSubscription
3. If you have more than one subscription, select the subscription that you want to use.
Add-AzureAccount
2. Open the network configuration file with an xml editor and check the values for 'LocalNetworkSite name'
and 'VirtualNetworkSite name'. Modify the example to reflect the values. When specifying a name that
contains spaces, use single quotation marks around the value.
3. Set the shared key and create the connection. The '-SharedKey' is a value that you generate and specify. In
the example, we used 'abc123', but you can generate (and should) use something more complex. The
important thing is that the value you specify here must be the same value that you specified when
configuring your VPN device.
4. On the Site-to-site VPN connections blade, view the information about your site.
5. To view more information about the connection, click the name of the connection to open the Site-to-site
VPN Connection blade.
Next steps
Once your connection is complete, you can add virtual machines to your virtual networks. For more information,
see Virtual Machines.
Create a VNet with a Site-to-Site connection using
the classic portal (classic)
4/24/2017 6 min to read Edit Online
This article shows you how to use the classic portal to create a Site-to-Site VPN gateway connection from your
on-premises network to the VNet. The steps in this article apply to the classic deployment model. You can also
create this configuration using a different deployment tool or deployment model by selecting a different option
from the following list:
A Site-to-Site VPN gateway connection is used to connect your on-premises network to an Azure virtual network
over an IPsec/IKE (IKEv1 or IKEv2) VPN tunnel. This type of connection requires a VPN device located on-premises
that has an externally facing public IP address assigned to it. For more information about VPN gateways, see
About VPN gateway.
Additional configurations
If you want to connect VNets together, see Configure a VNet-to-VNet connection for the classic deployment
model. If you want to add a Site-to-Site connection to a VNet that already has a connection, see Add a S2S
connection to a VNet with an existing VPN gateway connection.
Verify that you have the following items before beginning configuration:
A compatible VPN device and someone who is able to configure it. See About VPN Devices. If you aren't
familiar with configuring your VPN device, or are unfamiliar with the IP address ranges located in your on-
premises network configuration, you need to coordinate with someone who can provide those details for you.
An externally facing public IP address for your VPN device. This IP address cannot be located behind a NAT.
An Azure subscription. If you don't already have an Azure subscription, you can activate your MSDN subscriber
benefits or sign up for a free account.
IMPORTANT
When working with gateway subnets, avoid associating a network security group (NSG) to the gateway subnet. Associating
a network security group to this subnet may cause your VPN gateway to stop functioning as expected. For more
information about network security groups, see What is a network security group?
Next steps
Once your connection is complete, you can add virtual machines to your virtual networks. For more information,
see Virtual Machines.
Configure a Point-to-Site connection to a VNet using
the Azure portal
5/16/2017 24 min to read Edit Online
This article shows you how to create a VNet with a Point-to-Site connection in the Resource Manager deployment
model using the Azure portal. You can also create this configuration using a different deployment tool or
deployment model by selecting a different option from the following list:
A Point-to-Site (P2S) configuration lets you create a secure connection from an individual client computer to a
virtual network. Point-to-Site connections are useful when you want to connect to your VNet from a remote
location, such as from home or a conference, or when you only have a few clients that need to connect to a virtual
network. The P2S VPN connection is initiated from the client computer using the native Windows VPN client.
Connecting clients use certificates to authenticate.
Point-to-Site connections do not require a VPN device or a public-facing IP address. P2S creates the VPN
connection over SSTP (Secure Socket Tunneling Protocol). On the server side, we support SSTP versions 1.0, 1.1,
and 1.2. The client decides which version to use. For Windows 8.1 and above, SSTP uses 1.2 by default. For more
information about Point-to-Site connections, see the Point-to-Site FAQ at the end of this article.
P2S connections require the following:
A RouteBased VPN gateway.
The public key (.cer file) for a root certificate, uploaded to Azure. This is considered a trusted certificate and is
used for authentication.
A client certificate generated from the root certificate, and installed on each client computer that will connect.
This certificate is used for client authentication.
A VPN client configuration package must be generated and installed on every client computer that connects.
The client configuration package configures the native VPN client that is already on the operating system with
the necessary information to connect to the VNet.
Example values
You can use the following values to create a test environment, or refer to these values to better understand the
examples in this article:
Name: VNet1
Address space: 192.168.0.0/16
For this example, we use only one address space. You can have more than one address space for your VNet.
Subnet name: FrontEnd
Subnet address range: 192.168.1.0/24
Subscription: If you have more than one subscription, verify that you are using the correct one.
Resource Group: TestRG
Location: East US
GatewaySubnet: 192.168.200.0/24
Virtual network gateway name: VNet1GW
Gateway type: VPN
VPN type: Route-based
Public IP address: VNet1GWpip
Connection type: Point-to-site
Client address pool: 172.16.201.0/24
VPN clients that connect to the VNet using this Point-to-Site connection receive an IP address from the client
address pool.
3. Near the bottom of the Virtual Network blade, from the Select a deployment model list, select Resource
Manager, and then click Create.
4. On the Create virtual network blade, configure the VNet settings. When you fill in the fields, the red
exclamation mark will become a green check mark when the characters entered in the field are valid.
5. The Create virtual network blade looks similar to the following example. There may be values that are
auto-filled. If so, replace the values with your own.
To create subnets
1. To create subnets, in the Settings section of your virtual network blade, click Subnets to open the Subnets
blade.
2. In the Subnets blade, click +Subnet to open the Add subnet blade. Name your new subnet and specify the
address range.
4. The Name for your subnet is automatically filled in with the value 'GatewaySubnet'. This value is required
in order for Azure to recognize the subnet as the gateway subnet. Adjust the auto-filled Address range
values to match your configuration requirements.
6 - Generate certificates
Certificates are used by Azure to authenticate VPN clients for Point-to-Site VPNs. You upload the public key
information of the root certificate to Azure. The public key is then considered 'trusted'. Client certificates must be
generated from the trusted root certificate, and then installed on each client computer in the Certificates-Current
User/Personal certificate store. The certificate is used to authenticate the client when it initiates a connection to the
VNet. For more information about generating and installing certificates, see Certificates for Point-to-Site.
Step 1 - Obtain the .cer file for the root certificate
You can use either a root certificate that was generated using an enterprise solution (recommended), or you can
generate a self-signed certificate. If you use a self-signed certificate, be sure to use the Create a self-signed root
certificate for Point-to-Site connections article. The article contains the specific settings necessary to generate a
P2S-compatible certificate.
After creating the root certificate, you export the public certificate data (not the private key) as a Base-64 encoded
X.509 .cer file. You then upload the public certificate data from the root certificate to Azure.
Enterprise certificate: If you are using an enterprise solution, you can use your existing certificate chain.
Obtain the .cer file for the root certificate that you want to use.
Self-signed root certificate: If you are not using an enterprise certificate solution, you need to create a self-
signed root certificate. The root certificate must contain specific values in order to work with a Point-to-Site
connection. See the following articles for instructions:
To create a self-signed root certificate, see Create a self-signed root certificate for Point-to-Site
connections.
To export the public key (.cer file), see Create a self-signed root certificate for Point-to-Site connections.
Step 2 - Generate a client certificate
Each client computer that connects to a VNet using Point-to-Site must have a client certificate installed. The client
certificate is generated from the root certificate and installed on each client computer. If a valid client certificate is
not installed and the client tries to connect to the VNet, authentication fails.
You can either generate a unique certificate for each client, or you can use the same certificate for multiple clients.
The advantage to generating unique client certificates is the ability to revoke a single certificate. Otherwise, if
multiple clients are using the same client certificate and you need to revoke it, you have to generate and install
new certificates for all the clients that use that certificate to authenticate.
You can generate client certificates using the following methods:
Enterprise certificate:
If you are using an enterprise certificate solution, generate a client certificate with the common name
value format 'name@yourdomain.com', rather than the 'domain name\username' format.
Make sure the client certificate is based on the 'User' certificate template that has 'Client Authentication'
as the first item in the use list, rather than Smart Card Logon, etc. You can check the certificate by
double-clicking the client certificate and viewing Details > Enhanced Key Usage.
Self-signed root certificate: If you generate a client certificate from a self-signed root certificate using
the Create a self-signed root certificate for Point-to-Site connections article instructions, it's automatically
installed on the computer that you used to generate it. If you want to install a client certificate on another
client computer, you need to export it. Follow the instructions in the article to export the certificate.
2. You can delete the auto-filled range, then add the private IP address range that you want to use. Click Save
to validate and save the setting.
8 - Upload the root certificate .cer file
After the gateway has been created, you can upload the .cer file (which contains the public key information) for a
trusted root certificate to Azure. Once a.cer file is uploaded, Azure can use it to authenticate clients that have
installed a client certificate generated from the trusted root certificate. You can upload additional trusted root
certificate files - up to a total of 20 - later, if needed.
1. Certificates are added on the Point-to-site configuration blade in the Root certificate section.
2. Make sure that you exported the root certificate as a Base-64 encoded X.509 (.cer) file. You need to export the
certificate in this format so you can open the certificate with text editor.
3. Open the certificate with a text editor, such as Notepad. When copying the certificate data, make sure that
you copy the text as one continuous line without carriage returns or line feeds. You may need to modify
your view in the text editor to 'Show Symbol/Show all characters' to see the carriage returns and line feeds.
Copy only the following section as one continuous line:
4. Paste the certificate data into the Public Certificate Data field. Name the certificate, and then click Save.
You can add up to 20 trusted root certificates.
2. Select the correct package for your client, and then click Download. Save the configuration package file.
You install the VPN client configuration package on each client computer that connects to the virtual
network.
11 - Connect to Azure
1. To connect to your VNet, on the client computer, navigate to VPN connections and locate the VPN
connection that you created. It is named the same name as your virtual network. Click Connect. A pop-up
message may appear that refers to using the certificate. Click Continue to use elevated privileges.
2. On the Connection status page, click Connect to start the connection. If you see a Select Certificate
screen, verify that the client certificate showing is the one that you want to use to connect. If it is not, use
the drop-down arrow to select the correct certificate, and then click OK.
3. Your connection is established.
If you are having trouble connecting to a virtual machine over P2S, use 'ipconfig' to check the IPv4 address
assigned to the Ethernet adapter on the computer from which you are connecting. If the IP address is within the
address range of the VNet that you are connecting to, or within the address range of your VPNClientAddressPool,
this is referred to as an overlapping address space. When your address space overlaps in this way, the network
traffic doesn't reach Azure, it stays on the local network. If your network address spaces don't overlap and you still
can't connect to your VM, see Troubleshoot Remote Desktop connections to a VM.
Connect to a virtual machine
You can connect to a VM that is deployed to your VNet by creating a Remote Desktop Connection to your VM. The
best way to initially verify that you can connect to your VM is to connect by using its private IP address, rather
than computer name. That way, you are testing to see if you can connect, not whether name resolution is
configured properly.
1. Locate the private IP address. You can find the private IP address of a VM by either looking at the
properties for the VM in the Azure portal, or by using PowerShell.
Azure portal - Locate your virtual machine in the Azure portal. View the properties for the VM. The
private IP address is listed.
PowerShell - Use the example to view a list of VMs and private IP addresses from your resource
groups. You don't need to modify this example before using it.
$VMs = Get-AzureRmVM
$Nics = Get-AzureRmNetworkInterface | Where VirtualMachine -ne $null
foreach($Nic in $Nics)
{
$VM = $VMs | Where-Object -Property Id -eq $Nic.VirtualMachine.Id
$Prv = $Nic.IpConfigurations | Select-Object -ExpandProperty PrivateIpAddress
$Alloc = $Nic.IpConfigurations | Select-Object -ExpandProperty PrivateIpAllocationMethod
Write-Output "$($VM.Name): $Prv,$Alloc"
}
2. Verify that you are connected to your VNet using the Point-to-Site VPN connection.
3. Open Remote Desktop Connection by typing "RDP" or "Remote Desktop Connection" in the search box on
the taskbar, then select Remote Desktop Connection. You can also open Remote Desktop Connection using the
'mstsc' command in PowerShell.
4. In Remote Desktop Connection, enter the private IP address of the VM. You can click "Show Options" to adjust
additional settings, then connect.
To troubleshoot an RDP connection to a VM
If you are having trouble connecting to a virtual machine over your VPN connection, check the following:
Verify that your VPN connection is successful.
Verify that you are connecting to the private IP address for the VM.
Use 'ipconfig' to check the IPv4 address assigned to the Ethernet adapter on the computer from which you are
connecting. If the IP address is within the address range of the VNet that you are connecting to, or within the
address range of your VPNClientAddressPool, this is referred to as an overlapping address space. When your
address space overlaps in this way, the network traffic doesn't reach Azure, it stays on the local network.
If you can connect to the VM using the private IP address, but not the computer name, verify that you have
configured DNS properly. For more information about how name resolution works for VMs, see Name
Resolution for VMs.
Verify that the VPN client configuration package was generated after the DNS server IP addresses were
specified for the VNet. If you updated the DNS server IP addresses, generate and install a new VPN client
configuration package.
For more information about RDP connections, see Troubleshoot Remote Desktop connections to a VM.
Point-to-Site FAQ
What client operating systems can I use with Point-to -Site?
The following client operating systems are supported:
Windows 7 (32-bit and 64-bit)
Windows Server 2008 R2 (64-bit only)
Windows 8 (32-bit and 64-bit)
Windows 8.1 (32-bit and 64-bit)
Windows Server 2012 (64-bit only)
Windows Server 2012 R2 (64-bit only)
Windows 10
Can I use any software VPN client for Point-to -Site that supports SSTP?
No. Support is limited only to the Windows operating system versions listed above.
How many VPN client endpoints can I have in my Point-to -Site configuration?
We support up to 128 VPN clients to be able to connect to a virtual network at the same time.
Can I use my own internal PKI root CA for Point-to -Site connectivity?
Yes. Previously, only self-signed root certificates could be used. You can still upload 20 root certificates.
Can I traverse proxies and firewalls using Point-to -Site capability?
Yes. We use SSTP (Secure Socket Tunneling Protocol) to tunnel through firewalls. This tunnel will appear as an
HTTPs connection.
If I restart a client computer configured for Point-to -Site, will the VPN automatically reconnect?
By default, the client computer will not reestablish the VPN connection automatically.
Does Point-to -Site support auto -reconnect and DDNS on the VPN clients?
Auto-reconnect and DDNS are currently not supported in Point-to-Site VPNs.
Can I have Site -to -Site and Point-to -Site configurations coexist for the same virtual network?
Yes. Both these solutions will work if you have a RouteBased VPN type for your gateway. For the classic
deployment model, you need a dynamic gateway. We do not support Point-to-Site for static routing VPN
gateways or gateways using the -VpnType PolicyBased cmdlet.
Can I configure a Point-to -Site client to connect to multiple virtual networks at the same time?
Yes, it is possible. But the virtual networks cannot have overlapping IP prefixes and the Point-to-Site address
spaces must not overlap between the virtual networks.
How much throughput can I expect through Site -to -Site or Point-to -Site connections?
It's difficult to maintain the exact throughput of the VPN tunnels. IPsec and SSTP are crypto-heavy VPN protocols.
Throughput is also limited by the latency and bandwidth between your premises and the Internet.
Next steps
Once your connection is complete, you can add virtual machines to your virtual networks. For more information,
see Virtual Machines. To understand more about networking and virtual machines, see Azure and Linux VM
network overview.
Configure a Point-to-Site connection to a VNet using
PowerShell
5/24/2017 21 min to read Edit Online
This article shows you how to create a VNet with a Point-to-Site connection in the Resource Manager deployment
model using PowerShell. You can also create this configuration using a different deployment tool or deployment
model by selecting a different option from the following list:
A Point-to-Site (P2S) configuration lets you create a secure connection from an individual client computer to a
virtual network. Point-to-Site connections are useful when you want to connect to your VNet from a remote
location, such as from home or a conference, or when you only have a few clients that need to connect to a virtual
network. The P2S VPN connection is initiated from the client computer using the native Windows VPN client.
Connecting clients use certificates to authenticate.
Point-to-Site connections do not require a VPN device or a public-facing IP address. P2S creates the VPN
connection over SSTP (Secure Socket Tunneling Protocol). On the server side, we support SSTP versions 1.0, 1.1,
and 1.2. The client decides which version to use. For Windows 8.1 and above, SSTP uses 1.2 by default. For more
information about Point-to-Site connections, see the Point-to-Site FAQ at the end of this article.
P2S connections require the following:
A RouteBased VPN gateway.
The public key (.cer file) for a root certificate, uploaded to Azure. This is considered a trusted certificate and is
used for authentication.
A client certificate generated from the root certificate, and installed on each client computer that will connect.
This certificate is used for client authentication.
A VPN client configuration package must be generated and installed on every client computer that connects.
The client configuration package configures the native VPN client that is already on the operating system with
the necessary information to connect to the VNet.
Before beginning
Verify that you have an Azure subscription. If you don't already have an Azure subscription, you can activate
your MSDN subscriber benefits or sign up for a free account.
Install the latest version of the Azure Resource Manager PowerShell cmdlets. For more information about
installing PowerShell cmdlets, see How to install and configure Azure PowerShell.
Example values
You can use the example values to create a test environment, or refer to these values to better understand the
examples in this article. We set the variables in section 1 of the article. You can either use the steps as a walk-
through and use the values without changing them, or change them to reflect your environment.
Name: VNet1
Address space: 192.168.0.0/16 and 10.254.0.0/16
For this example, we use more than one address space to illustrate that this configuration works with multiple
address spaces. However, multiple address spaces are not required for this configuration.
Subnet name: FrontEnd
Subnet address range: 192.168.1.0/24
Subnet name: BackEnd
Subnet address range: 10.254.1.0/24
Subnet name: GatewaySubnet
The Subnet name GatewaySubnet is mandatory for the VPN gateway to work.
GatewaySubnet address range: 192.168.200.0/24
VPN client address pool: 172.16.201.0/24
VPN clients that connect to the VNet using this Point-to-Site connection receive an IP address from the VPN
client address pool.
Subscription: If you have more than one subscription, verify that you are using the correct one.
Resource Group: TestRG
Location: East US
DNS Server: IP address of the DNS server that you want to use for name resolution.
GW Name: Vnet1GW
Public IP name: VNet1GWPIP
VpnType: RouteBased
Login-AzureRmAccount
Get-AzureRmSubscription
4. Declare the variables that you want to use. Use the following sample, substituting the values for your own
when necessary.
$VNetName = "VNet1"
$FESubName = "FrontEnd"
$BESubName = "Backend"
$GWSubName = "GatewaySubnet"
$VNetPrefix1 = "192.168.0.0/16"
$VNetPrefix2 = "10.254.0.0/16"
$FESubPrefix = "192.168.1.0/24"
$BESubPrefix = "10.254.1.0/24"
$GWSubPrefix = "192.168.200.0/26"
$VPNClientAddressPool = "172.16.201.0/24"
$RG = "TestRG"
$Location = "East US"
$DNS = "8.8.8.8"
$GWName = "VNet1GW"
$GWIPName = "VNet1GWPIP"
$GWIPconfName = "gwipconf"
2 - Configure a VNet
1. Create a resource group.
2. Create the subnet configurations for the virtual network, naming them FrontEnd, BackEnd, and
GatewaySubnet. These prefixes must be part of the VNet address space that you declared.
5. A VPN gateway must have a Public IP address. You first request the IP address resource, and then refer to it
when creating your virtual network gateway. The IP address is dynamically assigned to the resource when
the VPN gateway is created. VPN Gateway currently only supports Dynamic Public IP address allocation.
You cannot request a Static Public IP address assignment. However, this does not mean that the IP address
changes after it has been assigned to your VPN gateway. The only time the Public IP address changes is
when the gateway is deleted and re-created. It doesn't change across resizing, resetting, or other internal
maintenance/upgrades of your VPN gateway.
Request a dynamically assigned public IP address.
3 - Generate certificates
Certificates are used by Azure to authenticate VPN clients for Point-to-Site VPNs. You upload the public key
information of the root certificate to Azure. The public key is then considered 'trusted'. Client certificates must be
generated from the trusted root certificate, and then installed on each client computer in the Certificates-Current
User/Personal certificate store. The certificate is used to authenticate the client when it initiates a connection to the
VNet. For more information about generating and installing certificates, see Certificates for Point-to-Site.
Step 1 - Obtain the .cer file for the root certificate
You can use either a root certificate that was generated using an enterprise solution (recommended), or you can
generate a self-signed certificate. If you use a self-signed certificate, be sure to use the Create a self-signed root
certificate for Point-to-Site connections article. The article contains the specific settings necessary to generate a
P2S-compatible certificate.
After creating the root certificate, you export the public certificate data (not the private key) as a Base-64 encoded
X.509 .cer file. You then upload the public certificate data from the root certificate to Azure.
Enterprise certificate: If you are using an enterprise solution, you can use your existing certificate chain.
Obtain the .cer file for the root certificate that you want to use.
Self-signed root certificate: If you are not using an enterprise certificate solution, you need to create a self-
signed root certificate. The root certificate must contain specific values in order to work with a Point-to-Site
connection. See the following articles for instructions:
To create a self-signed root certificate, see Create a self-signed root certificate for Point-to-Site
connections.
To export the public key (.cer file), see Create a self-signed root certificate for Point-to-Site connections.
Step 2 - Generate a client certificate
Each client computer that connects to a VNet using Point-to-Site must have a client certificate installed. The client
certificate is generated from the root certificate and installed on each client computer. If a valid client certificate is
not installed and the client tries to connect to the VNet, authentication fails.
You can either generate a unique certificate for each client, or you can use the same certificate for multiple clients.
The advantage to generating unique client certificates is the ability to revoke a single certificate. Otherwise, if
multiple clients are using the same client certificate and you need to revoke it, you have to generate and install
new certificates for all the clients that use that certificate to authenticate.
You can generate client certificates using the following methods:
Enterprise certificate:
If you are using an enterprise certificate solution, generate a client certificate with the common name
value format 'name@yourdomain.com', rather than the 'domain name\username' format.
Make sure the client certificate is based on the 'User' certificate template that has 'Client Authentication'
as the first item in the use list, rather than Smart Card Logon, etc. You can check the certificate by
double-clicking the client certificate and viewing Details > Enhanced Key Usage.
Self-signed root certificate: If you generate a client certificate from a self-signed root certificate using the
Create a self-signed root certificate for Point-to-Site connections article instructions, it's automatically
installed on the computer that you used to generate it. If you want to install a client certificate on another
client computer, you need to export it. Follow the instructions in the article to export the certificate.
$P2SRootCertName = "P2SRootCert.cer"
2. Replace the file path with your own, and then run the cmdlets.
$filePathForCert = "C:\cert\P2SRootCert.cer"
$cert = new-object System.Security.Cryptography.X509Certificates.X509Certificate2($filePathForCert)
$CertBase64 = [system.convert]::ToBase64String($cert.RawData)
$p2srootcert = New-AzureRmVpnClientRootCertificate -Name $P2SRootCertName -PublicCertData $CertBase64
2. Copy and paste the link that is returned to a web browser to download the package, taking care to remove the
quotes surrounding the link.
3. Download and install the package on the client computer. If you see a SmartScreen popup, click More info,
then Run anyway. You can also save the package to install on other client computers.
4. On the client computer, navigate to Network Settings and click VPN. The VPN connection shows the name of
the virtual network that it connects to.
8 - Connect to Azure
1. To connect to your VNet, on the client computer, navigate to VPN connections and locate the VPN connection
that you created. It is named the same name as your virtual network. Click Connect. A pop-up message may
appear that refers to using the certificate. Click Continue to use elevated privileges.
2. On the Connection status page, click Connect to start the connection. If you see a Select Certificate
screen, verify that the client certificate showing is the one that you want to use to connect. If it is not, use
the drop-down arrow to select the correct certificate, and then click OK.
$VMs = Get-AzureRmVM
$Nics = Get-AzureRmNetworkInterface | Where VirtualMachine -ne $null
foreach($Nic in $Nics)
{
$VM = $VMs | Where-Object -Property Id -eq $Nic.VirtualMachine.Id
$Prv = $Nic.IpConfigurations | Select-Object -ExpandProperty PrivateIpAddress
$Alloc = $Nic.IpConfigurations | Select-Object -ExpandProperty PrivateIpAllocationMethod
Write-Output "$($VM.Name): $Prv,$Alloc"
}
2. Verify that you are connected to your VNet using the Point-to-Site VPN connection.
3. Open Remote Desktop Connection by typing "RDP" or "Remote Desktop Connection" in the search box on
the taskbar, then select Remote Desktop Connection. You can also open Remote Desktop Connection using the
'mstsc' command in PowerShell.
4. In Remote Desktop Connection, enter the private IP address of the VM. You can click "Show Options" to adjust
additional settings, then connect.
To troubleshoot an RDP connection to a VM
If you are having trouble connecting to a virtual machine over your VPN connection, check the following:
Verify that your VPN connection is successful.
Verify that you are connecting to the private IP address for the VM.
Use 'ipconfig' to check the IPv4 address assigned to the Ethernet adapter on the computer from which you are
connecting. If the IP address is within the address range of the VNet that you are connecting to, or within the
address range of your VPNClientAddressPool, this is referred to as an overlapping address space. When your
address space overlaps in this way, the network traffic doesn't reach Azure, it stays on the local network.
If you can connect to the VM using the private IP address, but not the computer name, verify that you have
configured DNS properly. For more information about how name resolution works for VMs, see Name
Resolution for VMs.
Verify that the VPN client configuration package was generated after the DNS server IP addresses were
specified for the VNet. If you updated the DNS server IP addresses, generate and install a new VPN client
configuration package.
For more information about RDP connections, see Troubleshoot Remote Desktop connections to a VM.
NOTE
When copying the certificate data, make sure that you copy the text as one continuous line without carriage returns
or line feeds. You may need to modify your view in the text editor to 'Show Symbol/Show all characters' to see the
carriage returns and line feeds.
2. Specify the certificate name and key information as a variable. Replace the information with your own, as
shown in the following example:
$P2SRootCertName2 = "ARMP2SRootCert2.cer"
$MyP2SCertPubKeyBase64_2 =
"MIIC/zCCAeugAwIBAgIQKazxzFjMkp9JRiX+tkTfSzAJBgUrDgMCHQUAMBgxFjAUBgNVBAMTDU15UDJTUm9vdENlcnQwHhcNMTUxMj
E5MDI1MTIxWhcNMzkxMjMxMjM1OTU5WjAYMRYwFAYDVQQDEw1NeVAyU1Jvb3RDZXJ0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBC
gKCAQEAyjIXoWy8xE/GF1OSIvUaA0bxBjZ1PJfcXkMWsHPzvhWc2esOKrVQtgFgDz4ggAnOUFEkFaszjiHdnXv3mjzE2SpmAVIZPf2/
yPWqkoHwkmrp6BpOvNVOpKxaGPOuK8+dql1xcL0eCkt69g4lxy0FGRFkBcSIgVTViS9wjuuS7LPo5+OXgyFkAY3pSDiMzQCkRGNFgw5
WGMHRDAiruDQF1ciLNojAQCsDdLnI3pDYsvRW73HZEhmOqRRnJQe6VekvBYKLvnKaxUTKhFIYwuymHBB96nMFdRUKCZIiWRIy8Hc8+s
QEsAML2EItAjQv4+fqgYiFdSWqnQCPf/7IZbotgQIDAQABo00wSzBJBgNVHQEEQjBAgBAkuVrWvFsCJAdK5pb/eoCNoRowGDEWMBQGA
1UEAxMNTXlQMlNSb290Q2VydIIQKazxzFjMkp9JRiX+tkTfSzAJBgUrDgMCHQUAA4IBAQA223veAZEIar9N12ubNH2+HwZASNzDVNqs
pkPKD97TXfKHlPlIcS43TaYkTz38eVrwI6E0yDk4jAuPaKnPuPYFRj9w540SvY6PdOUwDoEqpIcAVp+b4VYwxPL6oyEQ8wnOYuoAK1h
hh20lCbo8h9mMy9ofU+RP6HJ7lTqupLfXdID/XevI8tW6Dm+C/wCeV3EmIlO9KUoblD/e24zlo3YzOtbyXwTIh34T0fO/zQvUuBqZMc
IPfM1cDvqcqiEFLWvWKoAnxbzckye2uk1gHO52d8AVL3mGiX8wBJkjc/pMdxrEvvCzJkltBmqxTM6XjDJALuVh16qFlqgTWCIcb7ju"
3. Add the new root certificate. You can only add one certificate at a time.
4. You can verify that the new certificate was added correctly by using the following example:
$GWName = "Name_of_virtual_network_gateway"
$RG = "Name_of_resource_group"
$P2SRootCertName2 = "ARMP2SRootCert2.cer"
$MyP2SCertPubKeyBase64_2 =
"MIIC/zCCAeugAwIBAgIQKazxzFjMkp9JRiX+tkTfSzAJBgUrDgMCHQUAMBgxFjAUBgNVBAMTDU15UDJTUm9vdENlcnQwHhcNMTUxMj
E5MDI1MTIxWhcNMzkxMjMxMjM1OTU5WjAYMRYwFAYDVQQDEw1NeVAyU1Jvb3RDZXJ0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBC
gKCAQEAyjIXoWy8xE/GF1OSIvUaA0bxBjZ1PJfcXkMWsHPzvhWc2esOKrVQtgFgDz4ggAnOUFEkFaszjiHdnXv3mjzE2SpmAVIZPf2/
yPWqkoHwkmrp6BpOvNVOpKxaGPOuK8+dql1xcL0eCkt69g4lxy0FGRFkBcSIgVTViS9wjuuS7LPo5+OXgyFkAY3pSDiMzQCkRGNFgw5
WGMHRDAiruDQF1ciLNojAQCsDdLnI3pDYsvRW73HZEhmOqRRnJQe6VekvBYKLvnKaxUTKhFIYwuymHBB96nMFdRUKCZIiWRIy8Hc8+s
QEsAML2EItAjQv4+fqgYiFdSWqnQCPf/7IZbotgQIDAQABo00wSzBJBgNVHQEEQjBAgBAkuVrWvFsCJAdK5pb/eoCNoRowGDEWMBQGA
1UEAxMNTXlQMlNSb290Q2VydIIQKazxzFjMkp9JRiX+tkTfSzAJBgUrDgMCHQUAA4IBAQA223veAZEIar9N12ubNH2+HwZASNzDVNqs
pkPKD97TXfKHlPlIcS43TaYkTz38eVrwI6E0yDk4jAuPaKnPuPYFRj9w540SvY6PdOUwDoEqpIcAVp+b4VYwxPL6oyEQ8wnOYuoAK1h
hh20lCbo8h9mMy9ofU+RP6HJ7lTqupLfXdID/XevI8tW6Dm+C/wCeV3EmIlO9KUoblD/e24zlo3YzOtbyXwTIh34T0fO/zQvUuBqZMc
IPfM1cDvqcqiEFLWvWKoAnxbzckye2uk1gHO52d8AVL3mGiX8wBJkjc/pMdxrEvvCzJkltBmqxTM6XjDJALuVh16qFlqgTWCIcb7ju"
3. Use the following example to verify that the certificate was removed successfully.
$RevokedClientCert1 = "NameofCertificate"
$RevokedThumbprint1 = "51ab1edd8da4cfed77e20061c5eb6d2ef2f778c7"
$GWName = "Name_of_virtual_network_gateway"
$RG = "Name_of_resource_group"
4. Add the thumbprint to the list of revoked certificates. You see "Succeeded" when the thumbprint has been
added.
5. Verify that the thumbprint was added to the certificate revocation list.
6. After the thumbprint has been added, the certificate can no longer be used to connect. Clients that try to
connect using this certificate receive a message saying that the certificate is no longer valid.
To reinstate a client certificate
You can reinstate a client certificate by removing the thumbprint from the list of revoked client certificates.
1. Declare the variables. Make sure you declare the correct thumbprint for the certificate that you want to
reinstate.
$RevokedClientCert1 = "NameofCertificate"
$RevokedThumbprint1 = "51ab1edd8da4cfed77e20061c5eb6d2ef2f778c7"
$GWName = "Name_of_virtual_network_gateway"
$RG = "Name_of_resource_group"
Point-to-Site FAQ
What client operating systems can I use with Point-to -Site?
The following client operating systems are supported:
Windows 7 (32-bit and 64-bit)
Windows Server 2008 R2 (64-bit only)
Windows 8 (32-bit and 64-bit)
Windows 8.1 (32-bit and 64-bit)
Windows Server 2012 (64-bit only)
Windows Server 2012 R2 (64-bit only)
Windows 10
Can I use any software VPN client for Point-to -Site that supports SSTP?
No. Support is limited only to the Windows operating system versions listed above.
How many VPN client endpoints can I have in my Point-to -Site configuration?
We support up to 128 VPN clients to be able to connect to a virtual network at the same time.
Can I use my own internal PKI root CA for Point-to -Site connectivity?
Yes. Previously, only self-signed root certificates could be used. You can still upload 20 root certificates.
Can I traverse proxies and firewalls using Point-to -Site capability?
Yes. We use SSTP (Secure Socket Tunneling Protocol) to tunnel through firewalls. This tunnel will appear as an
HTTPs connection.
If I restart a client computer configured for Point-to -Site, will the VPN automatically reconnect?
By default, the client computer will not reestablish the VPN connection automatically.
Does Point-to -Site support auto -reconnect and DDNS on the VPN clients?
Auto-reconnect and DDNS are currently not supported in Point-to-Site VPNs.
Can I have Site -to -Site and Point-to -Site configurations coexist for the same virtual network?
Yes. Both these solutions will work if you have a RouteBased VPN type for your gateway. For the classic
deployment model, you need a dynamic gateway. We do not support Point-to-Site for static routing VPN
gateways or gateways using the -VpnType PolicyBased cmdlet.
Can I configure a Point-to -Site client to connect to multiple virtual networks at the same time?
Yes, it is possible. But the virtual networks cannot have overlapping IP prefixes and the Point-to-Site address
spaces must not overlap between the virtual networks.
How much throughput can I expect through Site -to -Site or Point-to -Site connections?
It's difficult to maintain the exact throughput of the VPN tunnels. IPsec and SSTP are crypto-heavy VPN protocols.
Throughput is also limited by the latency and bandwidth between your premises and the Internet.
Next steps
Once your connection is complete, you can add virtual machines to your virtual networks. For more information,
see Virtual Machines. To understand more about networking and virtual machines, see Azure and Linux VM
network overview.
Configure a Point-to-Site connection to a VNet using
the Azure portal (classic)
5/16/2017 20 min to read Edit Online
NOTE
This article is written for the classic deployment model. If you are new to Azure, we recommend that you use the Resource
Manager deployment model. For information about the deployment models, see Understanding deployment models. To
see the Resource Manager version of this article, select it from the drop-down list, or from the table of contents on the left.
This article shows you how to create a VNet with a Point-to-Site connection in the classic deployment model using
the Azure portal. You can also create this configuration using a different deployment tool or deployment model by
selecting a different option from the following list:
A Point-to-Site (P2S) configuration lets you create a secure connection from an individual client computer to a
virtual network. Point-to-Site connections are useful when you want to connect to your VNet from a remote
location, such as from home or a conference, or when you only have a few clients that need to connect to a virtual
network. The P2S VPN connection is initiated from the client computer using the native Windows VPN client.
Connecting clients use certificates to authenticate.
Point-to-Site connections do not require a VPN device or a public-facing IP address. P2S creates the VPN
connection over SSTP (Secure Socket Tunneling Protocol). On the server side, we support SSTP versions 1.0, 1.1,
and 1.2. The client decides which version to use. For Windows 8.1 and above, SSTP uses 1.2 by default. For more
information about Point-to-Site connections, see the Point-to-Site FAQ at the end of this article.
P2S connections require the following:
A Dynamic VPN gateway.
The public key (.cer file) for a root certificate, uploaded to Azure. This is considered a trusted certificate and is
used for authentication.
A client certificate generated from the root certificate, and installed on each client computer that will connect.
This certificate is used for client authentication.
A VPN client configuration package must be generated and installed on every client computer that connects.
The client configuration package configures the native VPN client that is already on the operating system with
the necessary information to connect to the VNet.
Example settings
You can use the following values to create a test environment, or refer to these values to better understand the
examples in this article:
Name: VNet1
Address space: 192.168.0.0/16
For this example, we use only one address space. You can have more than one address space for your VNet.
Subnet name: FrontEnd
Subnet address range: 192.168.1.0/24
Subscription: If you have more than one subscription, verify that you are using the correct one.
Resource Group: TestRG
Location: East US
Connection type: Point-to-site
Client Address Space: 172.16.201.0/24. VPN clients that connect to the VNet using this Point-to-Site
connection receive an IP address from the specified pool.
GatewaySubnet: 192.168.200.0/24. The Gateway subnet must use the name 'GatewaySubnet'.
Size: Select the gateway SKU that you want to use.
Routing Type: Dynamic
3. Near the bottom of the Virtual Network blade, from the Select a deployment model list, select Classic,
and then click Create.
4. On the Create virtual network blade, configure the VNet settings. In this blade, you add your first address
space and a single subnet address range. After you finish creating the VNet, you can go back and add
additional subnets and address spaces.
5. Verify that the Subscription is the correct one. You can change subscriptions by using the drop-down.
6. Click Resource group and either select an existing resource group, or create a new one by typing a name for
your new resource group. If you are creating a new resource group, name the resource group according to
your planned configuration values. For more information about resource groups, visit Azure Resource
Manager Overview.
7. Next, select the Location settings for your VNet. The location determines where the resources that you deploy
to this VNet will reside.
8. Select Pin to dashboard if you want to be able to find your VNet easily on the dashboard, and then click
Create.
9. After clicking Create, a tile appears on your dashboard that will reflect the progress of your VNet. The tile
changes as the VNet is being created.
10. Once your virtual network has been created, you see Created listed under Status on the networks page in the
Azure classic portal.
11. Add a DNS server (optional). After you create your virtual network, you can add the IP address of a DNS server
for name resolution. The DNS server you specify should be one that can resolve the names for the resources in
your VNet.
To add a DNS server, open the settings for your virtual network, click DNS servers, and add the IP address of
the DNS server that you want to use. The client configuration package that you generate in a later step will
contain the IP addresses of the DNS servers that you specify in this setting. If you need to update the list of
DNS servers in the future, you can generate and install new VPN client configuration packages that reflect the
updated list.
Part 2: Create gateway subnet and a dynamic routing gateway
In this step, you create a gateway subnet and a Dynamic routing gateway. In the Azure portal for the classic
deployment model, creating the gateway subnet and the gateway can be done through the same configuration
blades.
1. In the portal, navigate to the virtual network for which you want to create a gateway.
2. On the blade for your virtual network, on the Overview blade, in the VPN connections section, click
Gateway.
7. Click Subnet Configure required settings to add the gateway subnet. While it is possible to create a
gateway subnet as small as /29, we recommend that you create a larger subnet that includes more
addresses by selecting at least /28 or /27. This will allow for enough addresses to accommodate possible
additional configurations that you may want in the future. When working with gateway subnets, avoid
associating a network security group (NSG) to the gateway subnet. Associating a network security group to
this subnet may cause your VPN gateway to stop functioning as expected.
8. Select the gateway Size. The size is the gateway SKU for your virtual network gateway. In the portal, the
Default SKU is Basic. For more information about gateway SKUs, see About VPN Gateway Settings.
9. Select the Routing Type for your gateway. P2S configurations require a Dynamic routing type. Click OK
when you have finished configuring this blade.
10. On the New VPN Connection blade, click OK at the bottom of the blade to begin creating your virtual
network gateway. A VPN gateway can take up to 45 minutes to complete, depending on the gateway sku that
you select.
2. On the Point-to-site connection blade, click Manage certificates to open the Certificates blade.
3. On the Certificates blade, click Upload to open the Upload certificate blade.
4. Click the folder graphic to browse for the .cer file. Select the file, then click OK. Refresh the page to see the
uploaded certificate on the Certificates blade.
3. Once the packaged generates, download and install it on your client computer. If you see a SmartScreen
popup, click More info, then Run anyway. You can also save the package to install on other client computers.
Part 2: Install the client certificate
If you want to create a P2S connection from a client computer other than the one you used to generate the client
certificates, you need to install a client certificate. When installing a client certificate, you need the password that
was created when the client certificate was exported. Typically, this is just a matter of double-clicking the
certificate and installing it. For more information, see Install an exported client certificate.
Section 5 - Connect to Azure
Connect to your VNet
1. To connect to your VNet, on the client computer, navigate to VPN connections and locate the VPN connection
that you created. It is named the same name as your virtual network. Click Connect. A pop-up message may
appear that refers to using the certificate. If this happens, click Continue to use elevated privileges.
2. On the Connection status page, click Connect to start the connection. If you see a Select Certificate
screen, verify that the client certificate showing is the one that you want to use to connect. If it is not, use
the drop-down arrow to select the correct certificate, and then click OK.
If you are having trouble connecting to a virtual machine over P2S, use 'ipconfig' to check the IPv4 address
assigned to the Ethernet adapter on the computer from which you are connecting. If the IP address is within the
address range of the VNet that you are connecting to, or within the address range of your VPNClientAddressPool,
this is referred to as an overlapping address space. When your address space overlaps in this way, the network
traffic doesn't reach Azure, it stays on the local network. If your network address spaces don't overlap and you still
can't connect to your VM, see Troubleshoot Remote Desktop connections to a VM.
2. On the Point-to-site connection blade, click Manage certificates to open the Certificates blade.
3. On the Certificates blade, click the ellipsis next to the certificate that you want to remove, then click
Delete.
Point-to-Site FAQ
What client operating systems can I use with Point-to -Site?
The following client operating systems are supported:
Windows 7 (32-bit and 64-bit)
Windows Server 2008 R2 (64-bit only)
Windows 8 (32-bit and 64-bit)
Windows 8.1 (32-bit and 64-bit)
Windows Server 2012 (64-bit only)
Windows Server 2012 R2 (64-bit only)
Windows 10
Can I use any software VPN client for Point-to -Site that supports SSTP?
No. Support is limited only to the Windows operating system versions listed above.
How many VPN client endpoints can I have in my Point-to -Site configuration?
We support up to 128 VPN clients to be able to connect to a virtual network at the same time.
Can I use my own internal PKI root CA for Point-to -Site connectivity?
Yes. Previously, only self-signed root certificates could be used. You can still upload 20 root certificates.
Can I traverse proxies and firewalls using Point-to -Site capability?
Yes. We use SSTP (Secure Socket Tunneling Protocol) to tunnel through firewalls. This tunnel will appear as an
HTTPs connection.
If I restart a client computer configured for Point-to -Site, will the VPN automatically reconnect?
By default, the client computer will not reestablish the VPN connection automatically.
Does Point-to -Site support auto -reconnect and DDNS on the VPN clients?
Auto-reconnect and DDNS are currently not supported in Point-to-Site VPNs.
Can I have Site -to -Site and Point-to -Site configurations coexist for the same virtual network?
Yes. Both these solutions will work if you have a RouteBased VPN type for your gateway. For the classic
deployment model, you need a dynamic gateway. We do not support Point-to-Site for static routing VPN
gateways or gateways using the -VpnType PolicyBased cmdlet.
Can I configure a Point-to -Site client to connect to multiple virtual networks at the same time?
Yes, it is possible. But the virtual networks cannot have overlapping IP prefixes and the Point-to-Site address
spaces must not overlap between the virtual networks.
How much throughput can I expect through Site -to -Site or Point-to -Site connections?
It's difficult to maintain the exact throughput of the VPN tunnels. IPsec and SSTP are crypto-heavy VPN protocols.
Throughput is also limited by the latency and bandwidth between your premises and the Internet.
Next steps
Once your connection is complete, you can add virtual machines to your virtual networks. For more information,
see Virtual Machines. To understand more about networking and virtual machines, see Azure and Linux VM
network overview.
Generate and export certificates for Point-to-Site
connections using PowerShell on Windows 10
5/24/2017 7 min to read Edit Online
Point-to-Site connections use certificates to authenticate. This article shows you how to create a self-signed root
certificate and generate client certificates using PowerShell on Windows 10. If you are looking for Point-to-Site
configuration steps, such as how to upload root certificates, select one of the 'Configure Point-to-Site' articles from
the following list:
You must perform the steps in this article on a computer running Windows 10. The PowerShell cmdlets that you
use to generate certificates are part of the Windows 10 operating system and do not work on other versions of
Windows. The Windows 10 computer is only needed to generate the certificates. Once the certificates are
generated, you can upload them, or install them on any supported client operating system.
If you do not have access to a Windows 10 computer, you can use MakeCert to generate certificates. However,
MakeCert can't generate SHA-2 certificates, only SHA-1. SHA-1 certificates are still valid for Point-to-Site
connections, but SHA-1 uses an encryption hash that is not as strong as SHA-2. For this reason, we recommend
that you use these PowerShell steps, if at all possible. The certificates that you generate using either method can
be installed on any supported client operating system.
Example 2
If you are creating additional client certificates, or are not using the same PowerShell session that you used to
create your self-signed root certificate, use the following steps:
1. Identify the self-signed root certificate that is installed on the computer. This cmdlet returns a list of
certificates that are installed on your computer.
2. Locate the subject name from the returned list, then copy the thumbprint that is located next to it to a text
file. In the following example, there are two certificates. The CN name is the name of the self-signed root
certificate from which you want to generate a child certificate. In this case, 'P2SRootCert'.
Thumbprint Subject
AED812AD883826FF76B4D1D5A77B3C08EFA79F3F CN=P2SChildCert4
7181AA8C1B4D34EEDB2F3D3BEC5839F3FE52D655 CN=P2SRootCert
3. Declare a variable for the root certificate using the thumbprint from the previous step. Replace
THUMBPRINT with the thumbprint of the root certificate from which you want to generate a child
certificate.
For example, using the thumbprint for P2SRootCert in the previous step, the variable looks like this:
4. Modify and run the example to generate a client certificate. If you run the following example without
modifying it, the result is a client certificate named 'P2SChildCert'. If you want to name the child certificate
something else, modify the CN value. Do not change the TextExtension when running this example. The
client certificate that you generate is automatically installed in 'Certificates - Current
User\Personal\Certificates' on your computer.
Next steps
Continue with your Point-to-Site configuration.
For Resource Manager deployment model steps, see Configure a Point-to-Site connection to a VNet.
For classic deployment model steps, see Configure a Point-to-Site VPN connection to a VNet (classic).
Generate and export certificates for Point-to-Site
connections using MakeCert
5/24/2017 6 min to read Edit Online
NOTE
Use the instructions in this article to generate certificates only when you don't have access to a computer running Windows
10. Otherwise, we recommend that you use the Generate self-signed certificates using Windows 10 PowerShell article
instead.
Point-to-Site connections use certificates to authenticate. This article shows you how to create a self-signed root
certificate and generate client certificates using MakeCert. If you are looking for Point-to-Site configuration steps,
such as how to upload root certificates, select one of the 'Configure Point-to-Site' articles from the following list:
While we recommend using the Windows 10 PowerShell steps to create your certificates, we provide these
MakeCert instructions as an optional method. The certificates that you generate using either method can be
installed on any supported client operating system. However, MakeCert has the following limitations:
MakeCert cannot generate SHA-2 certificates, only SHA-1. SHA-1 certificates are still valid for Point-to-Site
connections, but SHA-1 uses an encryption hash that is not as strong as SHA-2.
MakeCert is deprecated. This means that this tool could be removed at any point. Any certificates that you
already generated using MakeCert won't be affected if MakeCert is no longer available. MakeCert is only used
to generate the certificates, not as a validating mechanism.
3. Create and install a certificate in the Personal certificate store on your computer. The following example
creates a corresponding .cer file that you upload to Azure when configuring P2S. Replace 'P2SRootCert' and
'P2SRootCert.cer' with the name that you want to use for the certificate. The certificate will be located in
your 'Certificates - Current User\Personal\Certificates'.
makecert -sky exchange -r -n "CN=P2SRootCert" -pe -a sha1 -len 2048 -ss My "P2SRootCert.cer"
makecert.exe -n "CN=P2SChildCert" -pe -sky exchange -m 96 -ss My -in "P2SRootCert" -is my -a sha1
Next steps
Continue with your Point-to-Site configuration.
For Resource Manager deployment model steps, see Configure a Point-to-Site connection to a VNet.
For classic deployment model steps, see Configure a Point-to-Site VPN connection to a VNet (classic).
Configure a VNet-to-VNet VPN gateway connection
using the Azure portal
4/24/2017 15 min to read Edit Online
This article shows you how to create a VPN gateway connection between virtual networks. The virtual networks
can be in the same or different regions, and from the same or different subscriptions. The steps in this article apply
to the Resource Manager deployment model and the Azure portal. You can also create this configuration using a
different deployment tool or deployment model by selecting a different option from the following list:
Connecting a virtual network to another virtual network (VNet-to-VNet) is similar to connecting a VNet to an on-
premises site location. Both connectivity types use a VPN gateway to provide a secure tunnel using IPsec/IKE. If
your VNets are in the same region, you may want to consider connecting them using VNet Peering. VNet peering
does not use a VPN gateway. For more information, see VNet peering.
VNet-to-VNet communication can be combined with multi-site configurations. This lets you establish network
topologies that combine cross-premises connectivity with inter-virtual network connectivity, as shown in the
following diagram:
3. Near the bottom of the Virtual Network blade, from the Select a deployment model list, select Resource
Manager, and then click Create.
4. On the Create virtual network blade, configure the VNet settings. When you fill in the fields, the red
exclamation mark will become a green check mark when the characters entered in the field are valid.
5. The Create virtual network blade looks similar to the following example. There may be values that are
auto-filled. If so, replace the values with your own.
13. After clicking Create, you will see a tile on your dashboard that will reflect the progress of your VNet. The
tile changes as the VNet is being created.
2. Add additional address space and create subnets
You can add additional address space and create subnets once your VNet has been created.
To add address space
1. To add additional address space, under the Settings section for your virtual network blade, click Address
space to open the Address space blade.
2. Add the additional address space, and then click Save at the top of the blade.
To create subnets
1. To create subnets, in the Settings section of your virtual network blade, click Subnets to open the Subnets
blade.
2. In the Subnets blade, click +Subnet to open the Add subnet blade. Name your new subnet and specify the
address range.
IMPORTANT
When working with gateway subnets, avoid associating a network security group (NSG) to the gateway subnet. Associating
a network security group to this subnet may cause your VPN gateway to stop functioning as expected. For more
information about network security groups, see What is a network security group?
4. The Name for your subnet is automatically filled in with the value 'GatewaySubnet'. This value is required
in order for Azure to recognize the subnet as the gateway subnet. Adjust the auto-filled Address range
values to match your configuration requirements.
3. Name: Name your gateway. This is not the same as naming a gateway subnet. It's the name of the gateway
object you are creating.
4. Gateway type: Select VPN. VPN gateways use the virtual network gateway type VPN.
5. VPN type: Select the VPN type that is specified for your configuration. Most configurations require a Route-
based VPN type.
6. SKU: Select the gateway SKU from the dropdown. The SKUs listed in the dropdown depend on the VPN type
you select.
7. Location: Adjust the Location field to point to the location where your virtual network is located. If the
location is not pointing to the region where your virtual network resides, the virtual network doesn't appear in
the 'Choose a virtual network' dropdown.
8. Choose the virtual network to which you want to add this gateway. Click Virtual network to open the Choose
a virtual network blade. Select the VNet. If you don't see your VNet, make sure the Location field is pointing
to the region in which your virtual network is located.
9. Public IP address: This blade creates a public IP address object to which a public IP address will be
dynamically assigned. Click Public IP address to open the Choose public IP address blade. Click +Create
New to open the Create public IP address blade. Input a name for your public IP address. Click OK to save
your changes to this blade. The IP address is dynamically assigned when the VPN gateway is created. VPN
Gateway currently only supports Dynamic Public IP address allocation. However, this does not mean that the IP
address changes after it has been assigned to your VPN gateway. The only time the Public IP address changes
is when the gateway is deleted and re-created. It doesn't change across resizing, resetting, or other internal
maintenance/upgrades of your VPN gateway.
10. Subscription: Verify that the correct subscription is selected.
11. Resource group: This setting is determined by the Virtual Network that you select.
12. Don't adjust the Location after you've specified the previous settings.
13. Verify the settings. If you want your gateway to appear on the dashboard, you can select Pin to dashboard at
the bottom of the blade.
14. Click Create to begin creating the gateway. The settings are validated and the gateway will deploy. Creating a
gateway can take up to 45 minutes.
15. After the gateway is created, you can view the IP address that has been assigned to it by looking at the virtual
network in the portal. The gateway appears as a connected device. You can click the connected device (your
virtual network gateway) to view more information.
7. View the virtual network gateways that are listed on this blade. Notice that only virtual network gateways that
are in your subscription are listed. If you want to connect to a virtual network gateway that is not in your
subscription, please use the PowerShell article.
8. Click the virtual network gateway that you want to connect to.
9. In the Shared key field, type a shared key for your connection. You can generate or create this key yourself.
In a site-to-site connection, the key you use would be exactly the same for your on-premises device and
your virtual network gateway connection. The concept is similar here, except that rather than connecting to
a VPN device, you are connecting to another virtual network gateway.
You can double-click each connection separately to view more information about the connection.
VNet-to-VNet FAQ
View the FAQ details for additional information about VNet-to-VNet connections.
Does Azure charge for traffic between VNets?
VNet-to-VNet traffic within the same region is free for both directions when using a VPN gateway connection.
Cross region VNet-to-VNet egress traffic is charged with the outbound inter-VNet data transfer rates based on the
source regions. Refer to the VPN Gateway pricing page for details. If you are connecting your VNets using VNet
Peering, rather than VPN Gateway, see the Virtual Network pricing page.
Does VNet-to -VNet traffic travel across the Internet?
No. VNet-to-VNet traffic travels across the Microsoft Azure backbone, not the Internet.
Is VNet-to -VNet traffic secure?
Yes, it is protected by IPsec/IKE encryption.
Do I need a VPN device to connect VNets together?
No. Connecting multiple Azure virtual networks together doesn't require a VPN device unless cross-premises
connectivity is required.
Do my VNets need to be in the same region?
No. The virtual networks can be in the same or different Azure regions (locations).
Can I use VNet-to -VNet along with multi-site connections?
Yes. Virtual network connectivity can be used simultaneously with multi-site VPNs.
How many on-premises sites and virtual networks can one virtual network connect to?
See Gateway requirements table.
Can I use VNet-to -VNet to connect VMs or cloud services outside of a VNet?
No. VNet-to-VNet supports connecting virtual networks. It does not support connecting virtual machines or cloud
services that are not in a virtual network.
Can a cloud service or a load balancing endpoint span VNets?
No. A cloud service or a load balancing endpoint can't span across virtual networks, even if they are connected
together.
Can I used a PolicyBased VPN type for VNet-to -VNet or Multi-Site connections?
No. VNet-to-VNet and Multi-Site connections require Azure VPN gateways with RouteBased (previously called
Dynamic Routing) VPN types.
Can I connect a VNet with a RouteBased VPN Type to another VNet with a PolicyBased VPN type?
No, both virtual networks MUST be using route-based (previously called Dynamic Routing) VPNs.
Do VPN tunnels share bandwidth?
Yes. All VPN tunnels of the virtual network share the available bandwidth on the Azure VPN gateway and the same
VPN gateway uptime SLA in Azure.
Are redundant tunnels supported?
Redundant tunnels between a pair of virtual networks are supported when one virtual network gateway is
configured as active-active.
Can I have overlapping address spaces for VNet-to -VNet configurations?
No. You can't have overlapping IP address ranges.
Can there be overlapping address spaces among connected virtual networks and on-premises local sites?
No. You can't have overlapping IP address ranges.
Next steps
Once your connection is complete, you can add virtual machines to your virtual networks. See the Virtual
Machines documentation for more information.
Configure a VNet-to-VNet VPN gateway connection
using PowerShell
5/23/2017 15 min to read Edit Online
This article shows you how to create a VPN gateway connection between virtual networks. The virtual networks
can be in the same or different regions, and from the same or different subscriptions. The steps in this article
apply to the Resource Manager deployment model and use PowerShell. You can also create this configuration
using a different deployment tool or deployment model by selecting a different option from the following list:
Connecting a virtual network to another virtual network (VNet-to-VNet) is similar to connecting a VNet to an on-
premises site location. Both connectivity types use a VPN gateway to provide a secure tunnel using IPsec/IKE. If
your VNets are in the same region, you may want to consider connecting them using VNet Peering. VNet peering
does not use a VPN gateway. For more information, see VNet peering.
VNet-to-VNet communication can be combined with multi-site configurations. This lets you establish network
topologies that combine cross-premises connectivity with inter-virtual network connectivity, as shown in the
following diagram:
$Sub1 = "Replace_With_Your_Subcription_Name"
$RG1 = "TestRG1"
$Location1 = "East US"
$VNetName1 = "TestVNet1"
$FESubName1 = "FrontEnd"
$BESubName1 = "Backend"
$GWSubName1 = "GatewaySubnet"
$VNetPrefix11 = "10.11.0.0/16"
$VNetPrefix12 = "10.12.0.0/16"
$FESubPrefix1 = "10.11.0.0/24"
$BESubPrefix1 = "10.12.0.0/24"
$GWSubPrefix1 = "10.12.255.0/27"
$GWName1 = "VNet1GW"
$GWIPName1 = "VNet1GWIP"
$GWIPconfName1 = "gwipconf1"
$Connection14 = "VNet1toVNet4"
$Connection15 = "VNet1toVNet5"
2. Connect to your account. Use the following example to help you connect:
Login-AzureRmAccount
Get-AzureRmSubscription
4. Create the subnet configurations for TestVNet1. This example creates a virtual network named TestVNet1
and three subnets, one called GatewaySubnet, one called FrontEnd, and one called Backend. When
substituting values, it's important that you always name your gateway subnet specifically GatewaySubnet.
If you name it something else, your gateway creation fails.
The following example uses the variables that you set earlier. In this example, the gateway subnet is using
a /27. While it is possible to create a gateway subnet as small as /29, we recommend that you create a
larger subnet that includes more addresses by selecting at least /28 or /27. This will allow for enough
addresses to accommodate possible additional configurations that you may want in the future.
5. Create TestVNet1.
6. Request a public IP address to be allocated to the gateway you will create for your VNet. Notice that the
AllocationMethod is Dynamic. You cannot specify the IP address that you want to use. It's dynamically
allocated to your gateway.
7. Create the gateway configuration. The gateway configuration defines the subnet and the public IP address
to use. Use the example to create your gateway configuration.
8. Create the gateway for TestVNet1. In this step, you create the virtual network gateway for your TestVNet1.
VNet-to-VNet configurations require a RouteBased VpnType. Creating a gateway can often take 45
minutes or more, depending on the selected gateway SKU.
4. Create TestVNet4.
7. Create the TestVNet4 gateway. Creating a gateway can often take 45 minutes or more, depending on the
selected gateway SKU.
2. Create the TestVNet1 to TestVNet4 connection. In this step, you create the connection from TestVNet1 to
TestVNet4. You'll see a shared key referenced in the examples. You can use your own values for the shared
key. The important thing is that the shared key must match for both connections. Creating a connection
can take a short while to complete.
3. Create the TestVNet4 to TestVNet1 connection. This step is similar to the one above, except you are
creating the connection from TestVNet4 to TestVNet1. Make sure the shared keys match. The connection
will be established after a few minutes.
4. Verify your connection. See the section How to verify your connection.
In this scenario, we connect TestVNet1 and TestVNet5. TestVNet1 and TestVNet5 reside in a different
subscription. The difference between these steps and the previous set is that some of the configuration steps
need to be performed in a separate PowerShell session in the context of the second subscription. Especially when
the two subscriptions belong to different organizations.
Step 5 - Create and configure TestVNet1
You must complete Step 1 and Step 2 from the previous section to create and configure TestVNet1 and the VPN
Gateway for TestVNet1. For this configuration, you are not required to create TestVNet4 from the previous
section, although if you do create it, it will not conflict with these steps. Once you complete Step 1 and Step 2,
continue with Step 6 to create TestVNet5.
Step 6 - Verify the IP address ranges
It is important to make sure that the IP address space of the new virtual network, TestVNet5, does not overlap
with any of your VNet ranges or local network gateway ranges. In this example, the virtual networks may belong
to different organizations. For this exercise, you can use the following values for the TestVNet5:
Values for TestVNet5:
VNet Name: TestVNet5
Resource Group: TestRG5
Location: Japan East
TestVNet5: 10.51.0.0/16 & 10.52.0.0/16
FrontEnd: 10.51.0.0/24
BackEnd: 10.52.0.0/24
GatewaySubnet: 10.52.255.0.0/27
GatewayName: VNet5GW
Public IP: VNet5GWIP
VPNType: RouteBased
Connection: VNet5toVNet1
ConnectionType: VNet2VNet
Step 7 - Create and configure TestVNet5
This step must be done in the context of the new subscription. This part may be performed by the administrator
in a different organization that owns the subscription.
1. Declare your variables. Be sure to replace the values with the ones that you want to use for your
configuration.
$Sub5 = "Replace_With_the_New_Subcription_Name"
$RG5 = "TestRG5"
$Location5 = "Japan East"
$VnetName5 = "TestVNet5"
$FESubName5 = "FrontEnd"
$BESubName5 = "Backend"
$GWSubName5 = "GatewaySubnet"
$VnetPrefix51 = "10.51.0.0/16"
$VnetPrefix52 = "10.52.0.0/16"
$FESubPrefix5 = "10.51.0.0/24"
$BESubPrefix5 = "10.52.0.0/24"
$GWSubPrefix5 = "10.52.255.0/27"
$GWName5 = "VNet5GW"
$GWIPName5 = "VNet5GWIP"
$GWIPconfName5 = "gwipconf5"
$Connection51 = "VNet5toVNet1"
2. Connect to subscription 5. Open your PowerShell console and connect to your account. Use the following
sample to help you connect:
Login-AzureRmAccount
Get-AzureRmSubscription
5. Create TestVNet5.
Copy the output of the following elements and send these to the administrator of Subscription 5 via email
or another method.
$vnet1gw.Name
$vnet1gw.Id
These two elements will have values similar to the following example output:
PS D:\> $vnet1gw.Name
VNet1GW
PS D:\> $vnet1gw.Id
/subscriptions/b636ca99-6f88-4df4-a7c3-
2f8dc4545509/resourceGroupsTestRG1/providers/Microsoft.Network/virtualNetworkGateways/VNet1GW
2. [Subscription 5] Get the virtual network gateway for Subscription 5. Log in and connect to Subscription 5
before running the following example:
$vnet5gw = Get-AzureRmVirtualNetworkGateway -Name $GWName5 -ResourceGroupName $RG5
Copy the output of the following elements and send these to the administrator of Subscription 1 via email
or another method.
$vnet5gw.Name
$vnet5gw.Id
These two elements will have values similar to the following example output:
PS C:\> $vnet5gw.Name
VNet5GW
PS C:\> $vnet5gw.Id
/subscriptions/66c8e4f1-ecd6-47ed-9de7-
7e530de23994/resourceGroups/TestRG5/providers/Microsoft.Network/virtualNetworkGateways/VNet5GW
3. [Subscription 1] Create the TestVNet1 to TestVNet5 connection. In this step, you create the connection
from TestVNet1 to TestVNet5. The difference here is that $vnet5gw cannot be obtained directly because it
is in a different subscription. You will need to create a new PowerShell object with the values
communicated from Subscription 1 in the steps above. Use the example below. Replace the Name, Id, and
shared key with your own values. The important thing is that the shared key must match for both
connections. Creating a connection can take a short while to complete.
Connect to Subscription 1 before running the following example:
4. [Subscription 5] Create the TestVNet5 to TestVNet1 connection. This step is similar to the one above,
except you are creating the connection from TestVNet5 to TestVNet1. The same process of creating a
PowerShell object based on the values obtained from Subscription 1 applies here as well. In this step, be
sure that the shared keys match.
Connect to Subscription 5 before running the following example:
You can verify that your connection succeeded by using the 'Get-AzureRmVirtualNetworkGatewayConnection'
cmdlet, with or without '-Debug'.
1. Use the following cmdlet example, configuring the values to match your own. If prompted, select 'A' in
order to run 'All'. In the example, '-Name' refers to the name of the connection that you want to test.
2. After the cmdlet has finished, view the values. In the example below, the connection status shows as
'Connected' and you can see ingress and egress bytes.
"connectionStatus": "Connected",
"ingressBytesTransferred": 33509044,
"egressBytesTransferred": 4142431
VNet-to-VNet FAQ
Does Azure charge for traffic between VNets?
VNet-to-VNet traffic within the same region is free for both directions when using a VPN gateway connection.
Cross region VNet-to-VNet egress traffic is charged with the outbound inter-VNet data transfer rates based on
the source regions. Refer to the VPN Gateway pricing page for details. If you are connecting your VNets using
VNet Peering, rather than VPN Gateway, see the Virtual Network pricing page.
Does VNet-to -VNet traffic travel across the Internet?
No. VNet-to-VNet traffic travels across the Microsoft Azure backbone, not the Internet.
Is VNet-to -VNet traffic secure?
Yes, it is protected by IPsec/IKE encryption.
Do I need a VPN device to connect VNets together?
No. Connecting multiple Azure virtual networks together doesn't require a VPN device unless cross-premises
connectivity is required.
Do my VNets need to be in the same region?
No. The virtual networks can be in the same or different Azure regions (locations).
Can I use VNet-to -VNet along with multi-site connections?
Yes. Virtual network connectivity can be used simultaneously with multi-site VPNs.
How many on-premises sites and virtual networks can one virtual network connect to?
See Gateway requirements table.
Can I use VNet-to -VNet to connect VMs or cloud services outside of a VNet?
No. VNet-to-VNet supports connecting virtual networks. It does not support connecting virtual machines or cloud
services that are not in a virtual network.
Can a cloud service or a load balancing endpoint span VNets?
No. A cloud service or a load balancing endpoint can't span across virtual networks, even if they are connected
together.
Can I used a PolicyBased VPN type for VNet-to -VNet or Multi-Site connections?
No. VNet-to-VNet and Multi-Site connections require Azure VPN gateways with RouteBased (previously called
Dynamic Routing) VPN types.
Can I connect a VNet with a RouteBased VPN Type to another VNet with a PolicyBased VPN type?
No, both virtual networks MUST be using route-based (previously called Dynamic Routing) VPNs.
Do VPN tunnels share bandwidth?
Yes. All VPN tunnels of the virtual network share the available bandwidth on the Azure VPN gateway and the
same VPN gateway uptime SLA in Azure.
Are redundant tunnels supported?
Redundant tunnels between a pair of virtual networks are supported when one virtual network gateway is
configured as active-active.
Can I have overlapping address spaces for VNet-to -VNet configurations?
No. You can't have overlapping IP address ranges.
Can there be overlapping address spaces among connected virtual networks and on-premises local sites?
No. You can't have overlapping IP address ranges.
Next steps
Once your connection is complete, you can add virtual machines to your virtual networks. See the Virtual
Machines documentation for more information.
For information about BGP, see the BGP Overview and How to configure BGP.
Configure a VNet-to-VNet VPN gateway connection
using Azure CLI
6/2/2017 14 min to read Edit Online
This article shows you how to create a VPN gateway connection between virtual networks. The virtual networks can
be in the same or different regions, and from the same or different subscriptions. The steps in this article apply to
the Resource Manager deployment model and uses the Azure CLI. You can also create this configuration using a
different deployment tool or deployment model by selecting a different option from the following list:
Connecting a virtual network to another virtual network (VNet-to-VNet) is similar to connecting a VNet to an on-
premises site location. Both connectivity types use a VPN gateway to provide a secure tunnel using IPsec/IKE. If
your VNets are in the same region, you may want to consider connecting them using VNet Peering. VNet peering
does not use a VPN gateway. For more information, see VNet peering.
VNet-to-VNet communication can be combined with multi-site configurations. This lets you establish network
topologies that combine cross-premises connectivity with inter-virtual network connectivity, as shown in the
following diagram:
az login
2. If you have more than one Azure subscription, list the subscriptions for the account.
2. Create TestVNet1 and the subnets for TestVNet1. This example creates a virtual network named TestVNet1
and a subnet named FrontEnd.
3. Create an additional address space for the backend subnet. Notice that in this step, we specify both the
address space that we created earlier, and the additional address space that we want to add. This is because
the az network vnet update command overwrites the previous settings. Make sure to specify all of the
address prefixes when using this command.
az network vnet subnet create --vnet-name TestVNet1 -n BackEnd -g TestRG1 --address-prefix 10.12.0.0/24
5. Create the gateway subnet. Notice that the gateway subnet is named 'GatewaySubnet'. This name is
required. In this example, the gateway subnet is using a /27. While it is possible to create a gateway subnet
as small as /29, we recommend that you create a larger subnet that includes more addresses by selecting at
least /28 or /27. This will allow for enough addresses to accommodate possible additional configurations
that you may want in the future.
az network vnet subnet create --vnet-name TestVNet1 -n GatewaySubnet -g TestRG1 --address-prefix
10.12.255.0/27
6. Request a public IP address to be allocated to the gateway you will create for your VNet. Notice that the
AllocationMethod is Dynamic. You cannot specify the IP address that you want to use. It's dynamically
allocated to your gateway.
7. Create the virtual network gateway for TestVNet1. VNet-to-VNet configurations require a RouteBased
VpnType. If you run this command using the '--no-wait' parameter, you don't see any feedback or output.
The '--no-wait' parameter allows the gateway to create in the background. It does not mean that the VPN
gateway finishes creating immediately. Creating a gateway can often take 45 minutes or more, depending
on the gateway SKU that you use.
2. Create TestVNet4.
In the output, find the "id:" line. The values within the quotes are needed to create the connection in the next
section. Copy these values to a text editor, such as Notepad, so that you can easily paste them when creating
your connection.
Example output:
"activeActive": false,
"bgpSettings": {
"asn": 65515,
"bgpPeeringAddress": "10.12.255.30",
"peerWeight": 0
},
"enableBgp": false,
"etag": "W/\"ecb42bc5-c176-44e1-802f-b0ce2962ac04\"",
"gatewayDefaultSite": null,
"gatewayType": "Vpn",
"id": "/subscriptions/d6ff83d6-713d-41f6-a025-
5eb76334fda9/resourceGroups/TestRG1/providers/Microsoft.Network/virtualNetworkGateways/VNet1GW",
"ipConfigurations":
"id": "/subscriptions/d6ff83d6-713d-41f6-a025-
5eb76334fda9/resourceGroups/TestRG1/providers/Microsoft.Network/virtualNetworkGateways/VNet1GW"
2. Get the Resource ID of VNet4GW and copy the values to a text editor.
3. Create the TestVNet1 to TestVNet4 connection. In this step, you create the connection from TestVNet1 to
TestVNet4. There is a shared key referenced in the examples. You can use your own values for the shared
key. The important thing is that the shared key must match for both connections. Creating a connection
takes a short while to complete.
4. Create the TestVNet4 to TestVNet1 connection. This step is similar to the one above, except you are creating
the connection from TestVNet4 to TestVNet1. Make sure the shared keys match. It takes a few minutes to
establish the connection.
az network vpn-connection create -n VNet4ToVNet1 -g TestRG4 --vnet-gateway1 /subscriptions/d6ff83d6-
713d-41f6-a025-
5eb76334fda9/resourceGroups/TestRG4/providers/Microsoft.Network/virtualNetworkGateways/VNet4GW -l westus
--shared-key "aabbcc" --vnet-gateway2 /subscriptions/d6ff83d6-713d-41f6-a025-
5eb76334fda9/resourceGroups/TestRG1/providers/Microsoft.Network/virtualNetworkGateways/VNet1G
2. Create the TestVNet4 to TestVNet1 connection. This step is similar to the one above, except you are creating
the connection from TestVNet4 to TestVNet1. Make sure the shared keys match. It takes a few minutes to
establish the connection.
In this scenario, we connect TestVNet1 and TestVNet5. The VNets reside different subscriptions. The steps for this
configuration add an additional VNet-to-VNet connection in order to connect TestVNet1 to TestVNet5.
Step 5 - Create and configure TestVNet1
These instructions continue from the steps in the preceding sections. You must complete Step 1 and Step 2 to
create and configure TestVNet1 and the VPN Gateway for TestVNet1. For this configuration, you are not required
to create TestVNet4 from the previous section, although if you do create it, it will not conflict with these steps. Once
you complete Step 1 and Step 2, continue with Step 6 (below).
Step 6 - Verify the IP address ranges
When creating additional connections, it's important to verify that the IP address space of the new virtual network
does not overlap with any of your other VNet ranges or local network gateway ranges. For this exercise, you can
use the following values for the TestVNet5:
Values for TestVNet5:
VNet Name: TestVNet5
Resource Group: TestRG5
Location: Japan East
TestVNet5: 10.51.0.0/16 & 10.52.0.0/16
FrontEnd: 10.51.0.0/24
BackEnd: 10.52.0.0/24
GatewaySubnet: 10.52.255.0.0/27
GatewayName: VNet5GW
Public IP: VNet5GWIP
VPNType: RouteBased
Connection: VNet5toVNet1
ConnectionType: VNet2VNet
Step 7 - Create and configure TestVNet5
This step must be done in the context of the new subscription, Subscription 5. This part may be performed by the
administrator in a different organization that owns the subscription. To switch between subscriptions use 'az
account list --all' to list the subscriptions available to your account, then use 'az account set --subscription ' to
switch to the subscription that you want to use.
1. Make sure you are connected to Subscription 5, then create a resource group.
2. Create TestVNet5.
3. Add subnets.
Copy the output for "id:". Send the ID and the name of the VNet gateway (VNet1GW) to the administrator of
Subscription 5 via email or another method.
Example output:
"id": "/subscriptions/d6ff83d6-713d-41f6-a025-
5eb76334fda9/resourceGroups/TestRG1/providers/Microsoft.Network/virtualNetworkGateways/VNet1GW"
2. [Subscription 5] Log in and connect to Subscription 5. Run the following command to get the name and ID
of the Gateway from the output:
Copy the output for "id:". Send the ID and the name of the VNet gateway (VNet5GW) to the administrator of
Subscription 1 via email or another method.
3. [Subscription 1] In this step, you create the connection from TestVNet1 to TestVNet5. You can use your
own values for the shared key, however, the shared key must match for both connections. Creating a
connection can take a short while to complete. Make sure you connect to Subscription 1.
4. [Subscription 5] This step is similar to the one above, except you are creating the connection from
TestVNet5 to TestVNet1. Make sure that the shared keys match and that you connect to Subscription 5.
You can verify that your connection succeeded by using the az network vpn-connection show command. In the
example,'--name'refers to the name of the connection that you want to test. When the connection is in the process
of being established, its connection status shows 'Connecting'. Once the connection is established, the status
changes to 'Connected'.
az network vpn-connection show --name VNet1toSite2 --resource-group TestRG1
VNet-to-VNet FAQ
Does Azure charge for traffic between VNets?
VNet-to-VNet traffic within the same region is free for both directions when using a VPN gateway connection.
Cross region VNet-to-VNet egress traffic is charged with the outbound inter-VNet data transfer rates based on the
source regions. Refer to the VPN Gateway pricing page for details. If you are connecting your VNets using VNet
Peering, rather than VPN Gateway, see the Virtual Network pricing page.
Does VNet-to -VNet traffic travel across the Internet?
No. VNet-to-VNet traffic travels across the Microsoft Azure backbone, not the Internet.
Is VNet-to -VNet traffic secure?
Yes, it is protected by IPsec/IKE encryption.
Do I need a VPN device to connect VNets together?
No. Connecting multiple Azure virtual networks together doesn't require a VPN device unless cross-premises
connectivity is required.
Do my VNets need to be in the same region?
No. The virtual networks can be in the same or different Azure regions (locations).
Can I use VNet-to -VNet along with multi-site connections?
Yes. Virtual network connectivity can be used simultaneously with multi-site VPNs.
How many on-premises sites and virtual networks can one virtual network connect to?
See Gateway requirements table.
Can I use VNet-to -VNet to connect VMs or cloud services outside of a VNet?
No. VNet-to-VNet supports connecting virtual networks. It does not support connecting virtual machines or cloud
services that are not in a virtual network.
Can a cloud service or a load balancing endpoint span VNets?
No. A cloud service or a load balancing endpoint can't span across virtual networks, even if they are connected
together.
Can I used a PolicyBased VPN type for VNet-to -VNet or Multi-Site connections?
No. VNet-to-VNet and Multi-Site connections require Azure VPN gateways with RouteBased (previously called
Dynamic Routing) VPN types.
Can I connect a VNet with a RouteBased VPN Type to another VNet with a PolicyBased VPN type?
No, both virtual networks MUST be using route-based (previously called Dynamic Routing) VPNs.
Do VPN tunnels share bandwidth?
Yes. All VPN tunnels of the virtual network share the available bandwidth on the Azure VPN gateway and the same
VPN gateway uptime SLA in Azure.
Are redundant tunnels supported?
Redundant tunnels between a pair of virtual networks are supported when one virtual network gateway is
configured as active-active.
Can I have overlapping address spaces for VNet-to -VNet configurations?
No. You can't have overlapping IP address ranges.
Can there be overlapping address spaces among connected virtual networks and on-premises local sites?
No. You can't have overlapping IP address ranges.
Next steps
Once your connection is complete, you can add virtual machines to your virtual networks. For more
information, see the Virtual Machines documentation.
For information about BGP, see the BGP Overview and How to configure BGP.
Configure a VNet-to-VNet connection (classic)
6/6/2017 11 min to read Edit Online
This article shows you how to create a VPN gateway connection between virtual networks. The virtual networks
can be in the same or different regions, and from the same or different subscriptions. The steps in this article apply
to the classic deployment model and the Azure portal. You can also create this configuration using a different
deployment tool or deployment model by selecting a different option from the following list:
CONNECTS TO LOCAL
VIRTUAL NETWORK ADDRESS SPACE REGION NETWORK SITE
CONNECTS TO LOCAL
VIRTUAL NETWORK ADDRESS SPACE REGION NETWORK SITE
1. Locate TestVNet1 in the Azure portal. In the VPN connections section of the blade, click Gateway.
2. On the New VPN Connection page, select Site-to-Site.
3. Click Local site to open the Local site page and configure the settings.
4. On the Local site page, name your local site. In our example, we name the local site 'VNet4Local'.
5. For VPN gateway IP address, you can use any IP address that you want, as long as it's in a valid format.
Typically, youd use the actual external IP address for a VPN device. But, for a classic VNet-to-VNet
configuration, you use the public IP address that is assigned to the gateway for your VNet. Given that youve
not yet created the virtual network gateway, you specify any valid public IP address as a placeholder.
Don't leave this blank - it's not optional for this configuration. In a later step, you go back into these settings
and configure them with the corresponding virtual network gateway IP addresses once Azure generates it.
6. For Client Address Space, use the address space of the other VNet. Refer to your planning example. Click
OK to save your settings and return back to the New VPN Connection blade.
3. On the Site-to-Site VPN Connections blade, click the name of the local site that you want to modify.
4. Click the Local site that you want to modify.
5. Update the VPN gateway IP address and click OK to save the settings.
Login-AzureRmAccount
Get-AzureRmSubscription
If you have more than one subscription, select the subscription that you want to use.
Next, use the following cmdlet to add your Azure subscription to PowerShell for the classic deployment
model.
Add-AzureAccount
3. Export and view the network configuration file. Create a directory on your computer and then export the
network configuration file to the directory. In this example, the network configuration file is exported to
C:\AzureNet.
4. Open the file with a text editor and view the names for your VNets and sites. These will be the name you use
when you create your connections.
VNet names are listed as VirtualNetworkSite name =
Site names are listed as LocalNetworkSiteRef name =
3. Wait for the connections to initialize. Once the gateway has initialized, the Status is 'Successful'.
Error :
HttpStatusCode : OK
Id :
Status : Successful
RequestId :
StatusCode : OK
Next steps
Verify your connections. See Verify a VPN Gateway connection.
Connect virtual networks from different deployment
models using the portal
4/27/2017 18 min to read Edit Online
This article shows you how to connect classic VNets to Resource Manager VNets to allow the resources located in
the separate deployment models to communicate with each other. The steps in this article primarily use the Azure
portal, but you can also create this configuration using the PowerShell by selecting the article from this list.
Connecting a classic VNet to a Resource Manager VNet is similar to connecting a VNet to an on-premises site
location. Both connectivity types use a VPN gateway to provide a secure tunnel using IPsec/IKE. You can create a
connection between VNets that are in different subscriptions and in different regions. You can also connect VNets
that already have connections to on-premises networks, as long as the gateway that they have been configured
with is dynamic or route-based. For more information about VNet-to-VNet connections, see the VNet-to-VNet
FAQ at the end of this article.
If your VNets are in the same region, you may want to instead consider connecting them using VNet Peering.
VNet peering does not use a VPN gateway. For more information, see VNet peering.
Prerequisites
These steps assume that both VNets have already been created. If you are using this article as an exercise and
don't have VNets, there are links in the steps to help you create them.
Verify that the address ranges for the VNets do not overlap with each other, or overlap with any of the ranges
for other connections that the gateways may be connected to.
Install the latest PowerShell cmdlets for both Resource Manager and Service Management (classic). In this
article, we use both the Azure portal and PowerShell. PowerShell is required to create the connection from the
classic VNet to the Resource Manager VNet. For more information, see How to install and configure Azure
PowerShell.
Example settings
You can use these values to create a test environment, or refer to them to better understand the examples in this
article.
Classic VNet
VNet name = ClassicVNet
Address space = 10.0.0.0/24
Subnet-1 = 10.0.0.0/27
Resource Group = ClassicRG
Location = West US
GatewaySubnet = 10.0.0.32/28
Local site = RMVNetLocal
Resource Manager VNet
VNet name = RMVNet
Address space = 192.168.0.0/16
Subnet-1 = 192.168.1.0/24
GatewaySubnet = 192.168.0.0/26
Resource Group = RG1
Location = East US
Virtual network gateway name = RMGateway
Gateway type = VPN
VPN type = Route-based
Gateway Public IP address name = rmgwpip
Local network gateway = ClassicVNetLocal
Connection name = RMtoClassic
Connection overview
For this configuration, you create a VPN gateway connection over an IPsec/IKE VPN tunnel between the virtual
networks. Make sure that none of your VNet ranges overlap with each other, or with any of the local networks
that they connect to.
The following table shows an example of how the example VNets and local sites are defined:
CONNECTS TO LOCAL
VIRTUAL NETWORK ADDRESS SPACE REGION NETWORK SITE
3. On the New VPN Connection blade, for Connection type, select Site-to-site.
4. For Local site, click Configure required settings. This opens the Local site blade.
5. On the Local site blade, create a name to refer to the Resource Manager VNet. For example, 'RMVNetLocal'.
6. If the VPN gateway for the Resource Manager VNet already has a Public IP address, use the value for the VPN
gateway IP address field. If you are doing these steps as an exercise, or don't yet have a virtual network
gateway for your Resource Manager VNet, you can make up a placeholder IP address. Make sure that the
placeholder IP address uses a valid format. Later, you replace the placeholder IP address with the Public IP
address of the Resource Manager virtual network gateway.
7. For Client Address Space, use the values for the virtual network IP address spaces for the Resource Manager
VNet. This setting is used to specify the address spaces to route to the Resource Manager virtual network.
8. Click OK to save the values and return to the New VPN Connection blade.
Part 2 - Create the virtual network gateway
1. On the New VPN Connection blade, select the Create gateway immediately checkbox and click
Optional gateway configuration to open the Gateway configuration blade.
2. Click Subnet - Configure required settings to open the Add subnet blade. The Name is already configured
with the required value GatewaySubnet.
3. The Address range refers to the range for the gateway subnet. Although you can create a gateway subnet
with a /29 address range (3 addresses), we recommend creating a gateway subnet that contains more IP
addresses. This will accommodate future configurations that may require more available IP addresses. If
possible, use /27 or /28. If you are using these steps as an exercise, you can refer to the Example values. Click
OK to create the gateway subnet.
4. On the Gateway configuration blade, Size refers to the gateway SKU. Select the gateway SKU for your VPN
gateway.
5. Verify the Routing Type is Dynamic, then click OK to return to the New VPN Connection blade.
6. On the New VPN Connection blade, click OK to begin creating your VPN gateway. Creating a VPN gateway
can take up to 45 minutes to complete.
Part 3 - Copy the virtual network gateway Public IP address
After the virtual network gateway has been created, you can view the gateway IP address.
1. Navigate to your classic VNet, and click Overview.
2. Click VPN connections to open the VPN connections blade. On the VPN connections blade, you can view the
Public IP address. This is the Public IP address assigned to your virtual network gateway.
3. Write down or copy the IP address. You use it in later steps when you work with your Resource Manager local
network gateway configuration settings. You can also view the status of your gateway connections. Notice the
local network site you created is listed as 'Connecting'. The status will change after you have created your
connections.
4. Close the blade after copying the gateway IP address.
IMPORTANT
When working with gateway subnets, avoid associating a network security group (NSG) to the gateway subnet. Associating
a network security group to this subnet may cause your VPN gateway to stop functioning as expected. For more
information about network security groups, see What is a network security group?
1. In the portal, navigate to the Resource Manager virtual network for which you want to create a virtual network
gateway.
2. In the Settings section of your VNet blade, click Subnets to expand the Subnets blade.
3. On the Subnets blade, click +Gateway subnet to open the Add subnet blade.
4. The Name for your subnet is automatically filled in with the value 'GatewaySubnet'. This value is required
in order for Azure to recognize the subnet as the gateway subnet. Adjust the auto-filled Address range
values to match your configuration requirements.
1. In the portal, from All resources, click +Add. In the Everything blade search box, type Local network
gateway, then click to return a list of resources. Click Local network gateway to open the blade, then
click Create to open the Create local network gateway blade.
2. On the Create local network gateway blade, specify a Name for your local network gateway object. If
possible, use something intuitive, such as ClassicVNetLocal or TestVNet1Local. This makes it easier for
you to identify the local network gateway in the portal.
3. Specify a valid Public IP address for the VPN device or virtual network gateway to which you want to connect.
If this local network represents an on-premises location: Specify the Public IP address of the VPN device
that you want to connect to. It cannot be behind NAT and has to be reachable by Azure.
If this local network represents another VNet: Specify the Public IP address that was assigned to the
virtual network gateway for that VNet.
If you don't yet have the IP address: You can make up a valid placeholder IP address, and then come back
and modify this setting before connecting.
4. Address Space refers to the address ranges for the network that this local network represents. You can add
multiple address space ranges. Make sure that the ranges you specify here do not overlap with ranges of other
networks to which you connect.
5. For Subscription, verify that the correct subscription is showing.
6. For Resource Group, select the resource group that you want to use. You can either create a new resource
group, or select one that you have already created.
7. For Location, select the location in which this resource will be created. You may want to select the same
location that your VNet resides in, but you are not required to do so.
8. Click Create to create the local network gateway.
4. On the Site-to-site VPN connections blade, click the name of the site.
5. On the connection blade for your local site, click the name of the local site to open the Local site blade.
6. On the Local site blade, replace the VPN gateway IP address with the IP address of the Resource
Manager gateway.
7. Click OK to update the IP address.
Login-AzureRmAccount
Get a list of your Azure subscriptions if you have more than one subscription.
Get-AzureRmSubscription
Add your Azure Account to use the classic PowerShell cmdlets (SM). To do so, you can use the following
command:
Add-AzureAccount
Open the file with a text editor and view the name for your classic VNet. Use the names in the network
configuration file when running your PowerShell cmdlets.
VNet names are listed as VirtualNetworkSite name =
Site names are listed as LocalNetworkSite name=
3. Create the connection
Set the shared key and create the connection from the classic VNet to the Resource Manager VNet. You cannot set
the shared key using the portal. Make sure you run these steps while logged in using the classic version of the
PowerShell cmdlets. To do so, use Add-AzureAccount. Otherwise, you will not be able to set the '-
AzureVNetGatewayKey'.
In this example, -VNetName is the name of the classic VNet as found in your network configuration file.
The -LocalNetworkSiteName is the name you specified for the local site, as found in your network
configuration file.
The -SharedKey is a value that you generate and specify. For this example, we used abc123, but you can
generate something more complex. The important thing is that the value you specify here must be the same
value that you specified when creating your Resource Manager to classic connection.
4. On the Site-to-site VPN connections blade, view the information about your site.
5. To view more information about the connection, click the name of the connection to open the Site-to-site
VPN Connection blade.
To verify the connection from your Resource Manager VNet to your classic VNet
In the Azure portal, you can view the connection status of a Resource Manager VPN Gateway by navigating to the
connection. The following steps show one way to navigate to your connection and verify.
1. In the Azure portal, click All resources and navigate to your virtual network gateway.
2. On the blade for your virtual network gateway, click Connections. You can see the status of each connection.
3. Click the name of the connection that you want to verify to open Essentials. In Essentials, you can view
more information about your connection. The Status is 'Succeeded' and 'Connected' when you have made
a successful connection.
VNet-to-VNet FAQ
Does Azure charge for traffic between VNets?
VNet-to-VNet traffic within the same region is free for both directions when using a VPN gateway connection.
Cross region VNet-to-VNet egress traffic is charged with the outbound inter-VNet data transfer rates based on
the source regions. Refer to the VPN Gateway pricing page for details. If you are connecting your VNets using
VNet Peering, rather than VPN Gateway, see the Virtual Network pricing page.
Does VNet-to -VNet traffic travel across the Internet?
No. VNet-to-VNet traffic travels across the Microsoft Azure backbone, not the Internet.
Is VNet-to -VNet traffic secure?
Yes, it is protected by IPsec/IKE encryption.
Do I need a VPN device to connect VNets together?
No. Connecting multiple Azure virtual networks together doesn't require a VPN device unless cross-premises
connectivity is required.
Do my VNets need to be in the same region?
No. The virtual networks can be in the same or different Azure regions (locations).
Can I use VNet-to -VNet along with multi-site connections?
Yes. Virtual network connectivity can be used simultaneously with multi-site VPNs.
How many on-premises sites and virtual networks can one virtual network connect to?
See Gateway requirements table.
Can I use VNet-to -VNet to connect VMs or cloud services outside of a VNet?
No. VNet-to-VNet supports connecting virtual networks. It does not support connecting virtual machines or cloud
services that are not in a virtual network.
Can a cloud service or a load balancing endpoint span VNets?
No. A cloud service or a load balancing endpoint can't span across virtual networks, even if they are connected
together.
Can I used a PolicyBased VPN type for VNet-to -VNet or Multi-Site connections?
No. VNet-to-VNet and Multi-Site connections require Azure VPN gateways with RouteBased (previously called
Dynamic Routing) VPN types.
Can I connect a VNet with a RouteBased VPN Type to another VNet with a PolicyBased VPN type?
No, both virtual networks MUST be using route-based (previously called Dynamic Routing) VPNs.
Do VPN tunnels share bandwidth?
Yes. All VPN tunnels of the virtual network share the available bandwidth on the Azure VPN gateway and the
same VPN gateway uptime SLA in Azure.
Are redundant tunnels supported?
Redundant tunnels between a pair of virtual networks are supported when one virtual network gateway is
configured as active-active.
Can I have overlapping address spaces for VNet-to -VNet configurations?
No. You can't have overlapping IP address ranges.
Can there be overlapping address spaces among connected virtual networks and on-premises local sites?
No. You can't have overlapping IP address ranges.
Connect virtual networks from different deployment
models using PowerShell
4/27/2017 14 min to read Edit Online
This article shows you how to connect classic VNets to Resource Manager VNets to allow the resources located in
the separate deployment models to communicate with each other. The steps in this article use PowerShell, but you
can also create this configuration using the Azure portal by selecting the article from this list.
Connecting a classic VNet to a Resource Manager VNet is similar to connecting a VNet to an on-premises site
location. Both connectivity types use a VPN gateway to provide a secure tunnel using IPsec/IKE. You can create a
connection between VNets that are in different subscriptions and in different regions. You can also connect VNets
that already have connections to on-premises networks, as long as the gateway that they have been configured
with is dynamic or route-based. For more information about VNet-to-VNet connections, see the VNet-to-VNet
FAQ at the end of this article.
If your VNets are in the same region, you may want to instead consider connecting them using VNet Peering.
VNet peering does not use a VPN gateway. For more information, see VNet peering.
Before beginning
The following steps walk you through the settings necessary to configure a dynamic or route-based gateway for
each VNet and create a VPN connection between the gateways. This configuration does not support static or
policy-based gateways.
Prerequisites
Both VNets have already been created.
The address ranges for the VNets do not overlap with each other, or overlap with any of the ranges for other
connections that the gateways may be connected to.
You have installed the latest PowerShell cmdlets. See How to install and configure Azure PowerShell for more
information. Make sure you install both the Service Management (SM) and the Resource Manager (RM)
cmdlets.
Example settings
You can use these values to create a test environment, or refer to them to better understand the examples in this
article.
Classic VNet settings
VNet Name = ClassicVNet
Location = West US
Virtual Network Address Spaces = 10.0.0.0/24
Subnet-1 = 10.0.0.0/27
GatewaySubnet = 10.0.0.32/29
Local Network Name = RMVNetLocal
GatewayType = DynamicRouting
Resource Manager VNet settings
VNet Name = RMVNet
Resource Group = RG1
Virtual Network IP Address Spaces = 192.168.0.0/16
Subnet-1 = 192.168.1.0/24
GatewaySubnet = 192.168.0.0/26
Location = East US
Gateway public IP name = gwpip
Local Network Gateway = ClassicVNetLocal
Virtual Network Gateway name = RMGateway
Gateway IP addressing configuration = gwipconfig
Add-AzureAccount
2. Export your Azure network configuration file by running the following command. You can change the
location of the file to export to a different location if necessary.
3. Open the .xml file that you downloaded to edit it. For an example of the network configuration file, see the
Network Configuration Schema.
Part 2 -Verify the gateway subnet
In the VirtualNetworkSites element, add a gateway subnet to your VNet if one has not already been created.
When working with the network configuration file, the gateway subnet MUST be named "GatewaySubnet" or
Azure cannot recognize and use it as a gateway subnet.
IMPORTANT
When working with gateway subnets, avoid associating a network security group (NSG) to the gateway subnet. Associating
a network security group to this subnet may cause your VPN gateway to stop functioning as expected. For more
information about network security groups, see What is a network security group?
Example:
<VirtualNetworkSites>
<VirtualNetworkSite name="ClassicVNet" Location="West US">
<AddressSpace>
<AddressPrefix>10.0.0.0/24</AddressPrefix>
</AddressSpace>
<Subnets>
<Subnet name="Subnet-1">
<AddressPrefix>10.0.0.0/27</AddressPrefix>
</Subnet>
<Subnet name="GatewaySubnet">
<AddressPrefix>10.0.0.32/29</AddressPrefix>
</Subnet>
</Subnets>
</VirtualNetworkSite>
</VirtualNetworkSites>
Part 3 - Add the local network site
The local network site you add represents the RM VNet to which you want to connect. Add a LocalNetworkSites
element to the file if one doesn't already exist. At this point in the configuration, the VPNGatewayAddress can be
any valid public IP address because we haven't yet created the gateway for the Resource Manager VNet. Once we
create the gateway, we replace this placeholder IP address with the correct public IP address that has been
assigned to the RM gateway.
<LocalNetworkSites>
<LocalNetworkSite name="RMVNetLocal">
<AddressSpace>
<AddressPrefix>192.168.0.0/16</AddressPrefix>
</AddressSpace>
<VPNGatewayAddress>13.68.210.16</VPNGatewayAddress>
</LocalNetworkSite>
</LocalNetworkSites>
<Gateway>
<ConnectionsToLocalNetwork>
<LocalNetworkSiteRef name="RMVNetLocal">
<Connection type="IPsec" />
</LocalNetworkSiteRef>
</ConnectionsToLocalNetwork>
</Gateway>
You will see a similar result showing that the import succeeded.
You can check the status of the gateway by using the Get-AzureVNetGateway cmdlet.
Login-AzureRmAccount
Get a list of your Azure subscriptions if you have more than one subscription.
Get-AzureRmSubscription
2. Create a local network gateway. In a virtual network, the local network gateway typically refers to your on-
premises location. In this case, the local network gateway refers to your Classic VNet. Give it a name by
which Azure can refer to it, and also specify the address space prefix. Azure uses the IP address prefix you
specify to identify which traffic to send to your on-premises location. If you need to adjust the information
here later, before creating your gateway, you can modify the values and run the sample again.
-Name is the name you want to assign to refer to the local network gateway.
-AddressPrefix is the Address Space for your classic VNet.
-GatewayIpAddress is the public IP address of the classic VNet's gateway. Be sure to change the following
sample to reflect the correct IP address.
3. Request a public IP address to be allocated to the virtual network gateway for the Resource Manager VNet.
You can't specify the IP address that you want to use. The IP address is dynamically allocated to the virtual
network gateway. However, this does not mean the IP address changes. The only time the virtual network
gateway IP address changes is when the gateway is deleted and recreated. It doesn't change across resizing,
resetting, or other internal maintenance/upgrades of the gateway.
In this step, we also set a variable that is used in a later step.
4. Verify that your virtual network has a gateway subnet. If no gateway subnet exists, add one. Make sure the
gateway subnet is named GatewaySubnet.
5. Retrieve the subnet used for the gateway by running the following command. In this step, we also set a
variable to be used in the next step.
-Name is the name of your Resource Manager VNet.
-ResourceGroupName is the resource group that the VNet is associated with. The gateway subnet must
already exist for this VNet and must be named GatewaySubnet to work properly.
6. Create the gateway IP addressing configuration. The gateway configuration defines the subnet and the
public IP address to use. Use the following sample to create your gateway configuration.
In this step, the -SubnetId and -PublicIpAddressId parameters must be passed the id property from the
subnet, and IP address objects, respectively. You can't use a simple string. These variables are set in the step
to request a public IP and the step to retrieve the subnet.
$gwipconfig = New-AzureRmVirtualNetworkGatewayIpConfig `
-Name gwipconfig -SubnetId $subnet.id `
-PublicIpAddressId $ipaddress.id
7. Create the Resource Manager virtual network gateway by running the following command. The -VpnType
must be RouteBased. It can take 45 minutes or more for the gateway to create.
8. Copy the public IP address once the VPN gateway has been created. You use it when you configure the
local network settings for your Classic VNet. You can use the following cmdlet to retrieve the public IP
address. The public IP address is listed in the return as IpAddress.
2. Using a text editor, modify the value for VPNGatewayAddress. Replace the placeholder IP address with the
public IP address of the Resource Manager gateway and then save the changes.
<VPNGatewayAddress>13.68.210.16</VPNGatewayAddress>
In following example, -VNetName is the name of the classic VNet and -LocalNetworkSiteName is the
name you specified for the local network site. The -SharedKey is a value that you generate and specify. In
the example, we used 'abc123', but you can generate and use something more complex. The important
thing is that the value you specify here must be the same value that you specify in the next step when you
create your connection. The return should show Status: Successful.
Create the connection. Notice that the -ConnectionType is IPsec, not Vnet2Vnet.
2. After the cmdlet has finished, view the values. In the example below, the Connectivity State shows as
'Connected' and you can see ingress and egress bytes.
ConnectivityState : Connected
EgressBytesTransferred : 181664
IngressBytesTransferred : 182080
LastConnectionEstablished : 1/7/2016 12:40:54 AM
LastEventID : 24401
LastEventMessage : The connectivity state for the local network site 'RMVNetLocal' changed
from Connecting to
Connected.
LastEventTimeStamp : 1/7/2016 12:40:54 AM
LocalNetworkSiteName : RMVNetLocal
Azure portal
In the Azure portal, you can view the connection status for a classic VNet VPN Gateway by navigating to the
connection. The following steps show one way to navigate to your connection and verify.
1. In the Azure portal, click All resources and navigate to your classic virtual network.
2. On the virtual network blade, click Overview to access the VPN connections section of the blade.
3. On the VPN connections graphic, click the site.
4. On the Site-to-site VPN connections blade, view the information about your site.
5. To view more information about the connection, click the name of the connection to open the Site-to-site
VPN Connection blade.
To verify the connection from your Resource Manager VNet to your classic VNet
PowerShell
You can verify that your connection succeeded by using the 'Get-AzureRmVirtualNetworkGatewayConnection'
cmdlet, with or without '-Debug'.
1. Use the following cmdlet example, configuring the values to match your own. If prompted, select 'A' in
order to run 'All'. In the example, '-Name' refers to the name of the connection that you want to test.
2. After the cmdlet has finished, view the values. In the example below, the connection status shows as
'Connected' and you can see ingress and egress bytes.
"connectionStatus": "Connected",
"ingressBytesTransferred": 33509044,
"egressBytesTransferred": 4142431
Azure portal
In the Azure portal, you can view the connection status of a Resource Manager VPN Gateway by navigating to the
connection. The following steps show one way to navigate to your connection and verify.
1. In the Azure portal, click All resources and navigate to your virtual network gateway.
2. On the blade for your virtual network gateway, click Connections. You can see the status of each connection.
3. Click the name of the connection that you want to verify to open Essentials. In Essentials, you can view
more information about your connection. The Status is 'Succeeded' and 'Connected' when you have made
a successful connection.
VNet-to-VNet FAQ
Does Azure charge for traffic between VNets?
VNet-to-VNet traffic within the same region is free for both directions when using a VPN gateway connection.
Cross region VNet-to-VNet egress traffic is charged with the outbound inter-VNet data transfer rates based on the
source regions. Refer to the VPN Gateway pricing page for details. If you are connecting your VNets using VNet
Peering, rather than VPN Gateway, see the Virtual Network pricing page.
Does VNet-to -VNet traffic travel across the Internet?
No. VNet-to-VNet traffic travels across the Microsoft Azure backbone, not the Internet.
Is VNet-to -VNet traffic secure?
Yes, it is protected by IPsec/IKE encryption.
Do I need a VPN device to connect VNets together?
No. Connecting multiple Azure virtual networks together doesn't require a VPN device unless cross-premises
connectivity is required.
Do my VNets need to be in the same region?
No. The virtual networks can be in the same or different Azure regions (locations).
Can I use VNet-to -VNet along with multi-site connections?
Yes. Virtual network connectivity can be used simultaneously with multi-site VPNs.
How many on-premises sites and virtual networks can one virtual network connect to?
See Gateway requirements table.
Can I use VNet-to -VNet to connect VMs or cloud services outside of a VNet?
No. VNet-to-VNet supports connecting virtual networks. It does not support connecting virtual machines or cloud
services that are not in a virtual network.
Can a cloud service or a load balancing endpoint span VNets?
No. A cloud service or a load balancing endpoint can't span across virtual networks, even if they are connected
together.
Can I used a PolicyBased VPN type for VNet-to -VNet or Multi-Site connections?
No. VNet-to-VNet and Multi-Site connections require Azure VPN gateways with RouteBased (previously called
Dynamic Routing) VPN types.
Can I connect a VNet with a RouteBased VPN Type to another VNet with a PolicyBased VPN type?
No, both virtual networks MUST be using route-based (previously called Dynamic Routing) VPNs.
Do VPN tunnels share bandwidth?
Yes. All VPN tunnels of the virtual network share the available bandwidth on the Azure VPN gateway and the same
VPN gateway uptime SLA in Azure.
Are redundant tunnels supported?
Redundant tunnels between a pair of virtual networks are supported when one virtual network gateway is
configured as active-active.
Can I have overlapping address spaces for VNet-to -VNet configurations?
No. You can't have overlapping IP address ranges.
Can there be overlapping address spaces among connected virtual networks and on-premises local sites?
No. You can't have overlapping IP address ranges.
Configure ExpressRoute and Site-to-Site coexisting
connections
6/7/2017 8 min to read Edit Online
Configuring Site-to-Site VPN and ExpressRoute coexisting connections has several advantages. You can configure
a Site-to-Site VPN as a secure failover path for ExressRoute, or use Site-to-Site VPNs to connect to sites that are
not connected through ExpressRoute. We cover the steps to configure both scenarios in this article. This article
applies to the Resource Manager deployment model and uses PowerShell. This configuration is not available in the
Azure portal.
IMPORTANT
ExpressRoute circuits must be pre-configured before you follow the instructions below. Make sure that you have followed
the guides to create an ExpressRoute circuit and configure routing before you proceed.
Configuration designs
Configure a Site -to -Site VPN as a failover path for ExpressRoute
You can configure a Site-to-Site VPN connection as a backup for ExpressRoute. This applies only to virtual
networks linked to the Azure private peering path. There is no VPN-based failover solution for services accessible
through Azure public and Microsoft peerings. The ExpressRoute circuit is always the primary link. Data flows
through the Site-to-Site VPN path only if the ExpressRoute circuit fails.
NOTE
While ExpressRoute circuit is preferred over Site-to-Site VPN when both routes are the same, Azure will use the longest prefix
match to choose the route towards the packet's destination.
Configure a Site -to -Site VPN to connect to sites not connected through ExpressRoute
You can configure your network where some sites connect directly to Azure over Site-to-Site VPN, and some sites
connect through ExpressRoute.
NOTE
You cannot configure a virtual network as a transit router.
login-AzureRmAccount
Select-AzureRmSubscription -SubscriptionName 'yoursubscription'
$location = "Central US"
$resgrp = New-AzureRmResourceGroup -Name "ErVpnCoex" -Location $location
$VNetASN = 65010
3. Create a virtual network including Gateway Subnet. For more information about the virtual network
configuration, see Azure Virtual Network configuration.
IMPORTANT
The Gateway Subnet must be /27 or a shorter prefix (such as /26 or /25).
Add subnets.
4. Create an ExpressRoute gateway. For more information about the ExpressRoute gateway configuration, see
ExpressRoute gateway configuration. The GatewaySKU must be Standard, HighPerformance, or
UltraPerformance.
$gwSubnet = Get-AzureRmVirtualNetworkSubnetConfig -Name "GatewaySubnet" -VirtualNetwork $vnet
$gwIP = New-AzureRmPublicIpAddress -Name "ERGatewayIP" -ResourceGroupName $resgrp.ResourceGroupName -
Location $location -AllocationMethod Dynamic
$gwConfig = New-AzureRmVirtualNetworkGatewayIpConfig -Name "ERGatewayIpConfig" -SubnetId $gwSubnet.Id -
PublicIpAddressId $gwIP.Id
$gw = New-AzureRmVirtualNetworkGateway -Name "ERGateway" -ResourceGroupName $resgrp.ResourceGroupName -
Location $location -IpConfigurations $gwConfig -GatewayType "ExpressRoute" -GatewaySku Standard
5. Link the ExpressRoute gateway to the ExpressRoute circuit. After this step has been completed, the
connection between your on-premises network and Azure, through ExpressRoute, is established. For more
information about the link operation, see Link VNets to ExpressRoute.
6. Next, create your Site-to-Site VPN gateway. For more information about the VPN gateway configuration,
see Configure a VNet with a Site-to-Site connection. The GatewaySKU must be Standard, HighPerformance,
or UltraPerformance. The VpnType must RouteBased.
Azure VPN gateway supports BGP routing protocol. You can specify ASN (AS Number) for that Virtual
Network by adding the -Asn switch in the following command. Not specifying that parameter will default to
AS number 65515.
You can find the BGP peering IP and the AS number that Azure uses for the VPN gateway in
$azureVpn.BgpSettings.BgpPeeringAddress and $azureVpn.BgpSettings.Asn. For more information, see
Configure BGP for Azure VPN gateway.
7. Create a local site VPN gateway entity. This command doesnt configure your on-premises VPN gateway.
Rather, it allows you to provide the local gateway settings, such as the public IP and the on-premises
address space, so that the Azure VPN gateway can connect to it.
If your local VPN device only supports static routing, you can configure the static routes in the following
way:
$MyLocalNetworkAddress = @("10.100.0.0/16","10.101.0.0/16","10.102.0.0/16")
$localVpn = New-AzureRmLocalNetworkGateway -Name "LocalVPNGateway" -ResourceGroupName
$resgrp.ResourceGroupName -Location $location -GatewayIpAddress *<Public IP>* -AddressPrefix
$MyLocalNetworkAddress
If your local VPN device supports the BGP and you want to enable dynamic routing, you need to know the
BGP peering IP and the AS number that your local VPN device uses.
8. Configure your local VPN device to connect to the new Azure VPN gateway. For more information about VPN
device configuration, see VPN Device Configuration.
9. Link the Site-to-Site VPN gateway on Azure to the local gateway.
NOTE
When you delete the existing gateway, your local premises will lose the connection to your virtual network while you are
working on this configuration.
1. You'll need to install the latest version of the Azure PowerShell cmdlets. For more information about installing
cmdlets, see How to install and configure Azure PowerShell. The cmdlets that you use for this configuration
may be slightly different than what you might be familiar with. Be sure to use the cmdlets specified in these
instructions.
2. Delete the existing ExpressRoute or Site-to-Site VPN gateway.
5. At this point, you have a VNet with no gateways. To create new gateways and complete your connections, you
can proceed with Step 4 - Create an ExpressRoute gateway, found in the preceding set of steps.
2. Upload the VPN root certificate to Azure for your VPN gateway. In this example, it's assumed that the root
certificate is stored in the local machine where the following PowerShell cmdlets are run.
$p2sCertFullName = "RootErVpnCoexP2S.cer"
$p2sCertMatchName = "RootErVpnCoexP2S"
$p2sCertToUpload=get-childitem Cert:\CurrentUser\My | Where-Object {$_.Subject -match
$p2sCertMatchName}
if ($p2sCertToUpload.count -eq 1){write-host "cert found"} else {write-host "cert not found" exit}
$p2sCertData = [System.Convert]::ToBase64String($p2sCertToUpload.RawData) Add-
AzureRmVpnClientRootCertificate -VpnClientRootCertificateName $p2sCertFullName -
VirtualNetworkGatewayname $azureVpn.Name -ResourceGroupName $resgrp.ResourceGroupName -PublicCertData
$p2sCertData
Next steps
For more information about ExpressRoute, see the ExpressRoute FAQ.
Add a Site-to-Site connection to a VNet with an
existing VPN gateway connection
5/10/2017 3 min to read Edit Online
This article walks you through using the Azure portal to add Site-to-Site (S2S) connections to a VPN gateway that
has an existing connection. This type of connection is often referred to as a "multi-site" configuration. You can add
a S2S connection to a VNet that already has a S2S connection, Point-to-Site connection, or VNet-to-VNet
connection. There are some limitations when adding connections. Check the Before you begin section in this article
to verify before you start your configuration.
This article applies to VNets created using the Resource Manager deployment model that have a RouteBased VPN
gateway. These steps do not apply to ExpressRoute/Site-to-Site coexisting connection configurations. See
ExpressRoute/S2S coexisting connections for information about coexisting connections.
Deployment models and methods
Azure currently works with two deployment models: Resource Manager and classic. The two models are not
completely compatible with each other. Before you begin, you need to know which model that you want to work
in. For information about the deployment models, see Understanding deployment models. If you are new to Azure,
we recommend that you use the Resource Manager deployment model.
We update this table as new articles and additional tools become available for this configuration. When an article
is available, we link directly to it from this table.
DEPLOYMENT
MODEL/METHOD AZURE PORTAL CLASSIC PORTAL POWERSHELL
3. On the Create local network gateway blade, fill out the following fields:
Name: The name you want to give to the local network gateway resource.
IP address: The public IP address of the VPN device on the site that you want to connect to.
Address space: The address space that you want to be routed to the new local network site.
4. Click OK on the Create local network gateway blade to save the changes.
2. After the cmdlet has finished, view the values. In the example below, the connection status shows as
'Connected' and you can see ingress and egress bytes.
"connectionStatus": "Connected",
"ingressBytesTransferred": 33509044,
"egressBytesTransferred": 4142431
Next steps
Once your connection is complete, you can add virtual machines to your virtual networks. See the virtual machines
learning path for more information.
Add a Site-to-Site connection to a VNet with an
existing VPN gateway connection (classic)
4/27/2017 6 min to read Edit Online
This article walks you through using PowerShell to add Site-to-Site (S2S) connections to a VPN gateway that has
an existing connection. This type of connection is often referred to as a "multi-site" configuration. The steps in this
article apply to virtual networks created using the classic deployment model (also known as Service
Management). These steps do not apply to ExpressRoute/Site-to-Site coexisting connection configurations.
Deployment models and methods
Azure currently works with two deployment models: Resource Manager and classic. The two models are not
completely compatible with each other. Before you begin, you need to know which model that you want to work
in. For information about the deployment models, see Understanding deployment models. If you are new to
Azure, we recommend that you use the Resource Manager deployment model.
We update this table as new articles and additional tools become available for this configuration. When an article
is available, we link directly to it from this table.
DEPLOYMENT
MODEL/METHOD AZURE PORTAL CLASSIC PORTAL POWERSHELL
About connecting
You can connect multiple on-premises sites to a single virtual network. This is especially attractive for building
hybrid cloud solutions. Creating a multi-site connection to your Azure virtual network gateway is similar to
creating other Site-to-Site connections. In fact, you can use an existing Azure VPN gateway, as long as the gateway
is dynamic (route-based).
If you already have a static gateway connected to your virtual network, you can change the gateway type to
dynamic without needing to rebuild the virtual network in order to accommodate multi-site. Before changing the
routing type, make sure that your on-premises VPN gateway supports route-based VPN configurations.
Points to consider
You won't be able to use the portal to make changes to this virtual network. You need to make changes to
the network configuration file instead of using the portal. If you make changes in the portal, they'll overwrite your
multi-site reference settings for this virtual network.
You should feel comfortable using the network configuration file by the time you've completed the multi-site
procedure. However, if you have multiple people working on your network configuration, you'll need to make
sure that everyone knows about this limitation. This doesn't mean that you can't use the portal at all. You can use
it for everything else, except making configuration changes to this particular virtual network.
<Gateway>
<ConnectionsToLocalNetwork>
<LocalNetworkSiteRef name="Site1"><Connection type="IPsec" /></LocalNetworkSiteRef>
</ConnectionsToLocalNetwork>
</Gateway>
To add additional site references (create a multi-site configuration), simply add additional "LocalNetworkSiteRef"
lines, as shown in the example below:
<Gateway>
<ConnectionsToLocalNetwork>
<LocalNetworkSiteRef name="Site1"><Connection type="IPsec" /></LocalNetworkSiteRef>
<LocalNetworkSiteRef name="Site2"><Connection type="IPsec" /></LocalNetworkSiteRef>
</ConnectionsToLocalNetwork>
</Gateway>
6. Download keys
Once your new tunnels have been added, use the PowerShell cmdlet 'Get-AzureVNetGatewayKey' to get the
IPsec/IKE pre-shared keys for each tunnel.
For example:
If you prefer, you can also use the Get Virtual Network Gateway Shared Key REST API to get the pre-shared keys.
Example return:
ConnectivityState : Connected
EgressBytesTransferred : 661530
IngressBytesTransferred : 519207
LastConnectionEstablished : 5/2/2014 2:51:40 PM
LastEventID : 23401
LastEventMessage : The connectivity state for the local network site 'Site1' changed from Not
Connected to Connected.
LastEventTimeStamp : 5/2/2014 2:51:40 PM
LocalNetworkSiteName : Site1
OperationDescription : Get-AzureVNetConnection
OperationId : 7f68a8e6-51e9-9db4-88c2-16b8067fed7f
OperationStatus : Succeeded
ConnectivityState : Connected
EgressBytesTransferred : 789398
IngressBytesTransferred : 143908
LastConnectionEstablished : 5/2/2014 3:20:40 PM
LastEventID : 23401
LastEventMessage : The connectivity state for the local network site 'Site2' changed from Not
Connected to Connected.
LastEventTimeStamp : 5/2/2014 2:51:40 PM
LocalNetworkSiteName : Site2
OperationDescription : Get-AzureVNetConnection
OperationId : 7893b329-51e9-9db4-88c2-16b8067fed7f
OperationStatus : Succeeded
Next steps
To learn more about VPN Gateways, see About VPN Gateways.
Connect Azure VPN gateways to multiple on-
premises policy-based VPN devices using PowerShell
6/13/2017 6 min to read Edit Online
This article walks you through the steps to configure an Azure route-based VPN gateway to connect to multiple
on-premises poilcy-based VPN devices leveraging custom IPsec/IKE policies on S2S VPN connections.
With the custom IPsec/IKE policy, you can now configure Azure route-based VPN gateways to use prefix-based
traffic selectors with option "PolicyBasedTrafficSelectors", to connect to on-premises policy-based VPN devices.
This capability allows you to connect from an Azure virtual network and VPN gateway to multiple on-premises
policy-based VPN/firewall devices, removing the single connection limit from the current Azure policy-based VPN
gateways.
IMPORTANT
1. To enable this connectivity, your on-premises policy-based VPN devices must support IKEv2 to connect to the Azure
route-based VPN gateways. Please check with your VPN device specifications.
2. The on-premises networks connecting through policy-based VPN devices with this mechanism can only connect to the
Azure virtual network; cannot transit to other on-premises networks or virtual networks via the same Azure VPN
gateway.
3. The configuration option is part of the custom IPsec/IKE connection policy. You must specify the complete policy
(IPsec/IKE encryption and integrity algorithms, key strengths, and SA lifetimes) if you enable the policy-based traffic
selector option.
The diagram below shows why transit routing via Azure VPN gateway will not work with the policy-based option.
As shown in the diagram, the Azure VPN gateway will have traffic selectors from the virtual network to each on-
premises network prefixes, but not the cross-connection prefixes. E.g., on-premises site 2, site 3, and site 4 can
each communicate to VNet1 respectively, but cannot connect via the Azure VPN gateway to each other. The
diagram shows the cross-connect traffic selectors that are not available in the Azure VPN gateway under this
configuration.
$Sub1 = "<YourSubscriptionName>"
$RG1 = "TestPolicyRG1"
$Location1 = "East US 2"
$VNetName1 = "TestVNet1"
$FESubName1 = "FrontEnd"
$BESubName1 = "Backend"
$GWSubName1 = "GatewaySubnet"
$VNetPrefix11 = "10.11.0.0/16"
$VNetPrefix12 = "10.12.0.0/16"
$FESubPrefix1 = "10.11.0.0/24"
$BESubPrefix1 = "10.12.0.0/24"
$GWSubPrefix1 = "10.12.255.0/27"
$DNS1 = "8.8.8.8"
$GWName1 = "VNet1GW"
$GW1IPName1 = "VNet1GWIP1"
$GW1IPconf1 = "gw1ipconf1"
$Connection16 = "VNet1toSite6"
$LNGName6 = "Site6"
$LNGPrefix61 = "10.61.0.0/16"
$LNGPrefix62 = "10.62.0.0/16"
$LNGIP6 = "131.107.72.22"
Make sure you switch to PowerShell mode to use the Resource Manager cmdlets. For more information, see Using
Windows PowerShell with Resource Manager.
Open your PowerShell console and connect to your account. Use the following sample to help you connect:
Login-AzureRmAccount
Select-AzureRmSubscription -SubscriptionName $Sub1
New-AzureRmResourceGroup -Name $RG1 -Location $Location1
2. Create the virtual network, VPN gateway, and local network gateway
The sample below creates the virtual network, TestVNet1, with three subnets, and the VPN gateway. When
substituting values, it's important that you always name your gateway subnet specifically GatewaySubnet. If you
name it something else, your gateway creation will fail.
IMPORTANT
You need to create an IPsec/IKE policy in order to enable "UsePolicyBasedTrafficSelectors" option on the connection.
The sample script below creates an IPsec/IKE policy with the following algorithms and parameters:
IKEv2: AES256, SHA384, DHGroup24
IPsec: AES256, SHA256, PFS24, SA Lifetime 3600 seconds & 2048KB
2. Create the S2S VPN connection with policy-based traffic selectors and IPsec/IKE policy
Create an S2S VPN connection and apply the IPsec/IKE policy created above. Note the additional parameter "-
UsePolicyBasedTrafficSelectors $True" to enable poicy-based traffic selectors on the connection.
After completing the steps, the S2S VPN connection will use the IPsec/IKE policy defined above, and enable policy-
based traffic selectors on the connection. You can repeat the same steps to add more connections to additional on-
premises policy-based VPN devices from the same Azure VPN gateway.
$RG1 = "TestPolicyRG1"
$Connection16 = "VNet1toSite6"
$connection6 = Get-AzureRmVirtualNetworkGatewayConnection -Name $Connection16 -ResourceGroupName $RG1
$connection6.UsePolicyBasedTrafficSelectors
If the line returns "True", then policy-based traffic selectors are configured on the connection; otherwise it will
return "False."
3. Update the policy-based traffic selectors on a connection
Once you obtain the connection resource, you can enable or disable the option.
Disable UsePolicyBasedTrafficSelectors
The example below disables the policy-based traffic selectors option, but leaves the IPsec/IKE policy unchanged:
$RG1 = "TestPolicyRG1"
$Connection16 = "VNet1toSite6"
$connection6 = Get-AzureRmVirtualNetworkGatewayConnection -Name $Connection16 -ResourceGroupName $RG1
Enable UsePolicyBasedTrafficSelectors
The example below enables the policy-based traffic selectors option, but leaves the IPsec/IKE policy unchanged:
$RG1 = "TestPolicyRG1"
$Connection16 = "VNet1toSite6"
$connection6 = Get-AzureRmVirtualNetworkGatewayConnection -Name $Connection16 -ResourceGroupName $RG1
Next steps
Once your connection is complete, you can add virtual machines to your virtual networks. See Create a Virtual
Machine for steps.
Also review Configure IPsec/IKE policy for S2S VPN or VNet-to-VNet connections for more details on custom
IPsec/IKE policies.
Configure IPsec/IKE policy for S2S VPN or VNet-to-
VNet connections
6/14/2017 10 min to read Edit Online
This article walks you through the steps to configure IPsec/IKE policy for S2S VPN or VNet-to-VNet connections
using the Resource Manager deployment model and PowerShell.
About IPsec and IKE policy parameters for Azure VPN gateways
IPsec and IKE protocol standard supports a wide range of cryptographic algorithms in various combinations.
Refer to About cryptographic requirements and Azure VPN gateways to see how this can help ensuring cross-
premises and VNet-to-VNet connectivity satisfy your compliance or security requirements.
This article provides instructions to create and configure an IPsec/IKE policy and apply to a new or existing
connection:
Part 1 - Workflow to create and set IPsec/IKE policy
Part 2 - Supported cryptographic algorithms and key strengths
Part 3 - Create a new S2S VPN connection with IPsec/IKE policy
Part 4 - Create a new VNet-to-VNet connection with IPsec/IKE policy
Part 5 - Manage (create, add, remove) IPsec/IKE policy for a connection
IMPORTANT
1. Please note that IPsec/IKE policy only works on Standard and HighPerformance Route-Based VPN gateways.
2. You can only specify one policy combination for a given connection.
3. You must specify all algorithms and parameters for both IKE (Main Mode) and IPsec (Quick Mode). Partial policy
specification is not allowed.
4. Please consult with your VPN device vendor specifications to ensure the policy is supported on your on-premises VPN
devices. S2S or VNet-to-VNet connections cannot establish if the policies are incompatible.
IPSEC/IKEV2 OPTIONS
PFS Group ECP384, ECP256, PFS24, PFS2048, PFS14, PFS2, PFS1, None
NOTE
(*) IKEv2 Main Mode SA lifetime is fixed at 28,800 seconds on the Azure VPN gateways
(**) Setting "UsePolicyBasedTrafficSelectors" to $True on a connection will configure the Azure VPN gateway to connect
to policy-based VPN firewall on premises. If you enable PolicyBasedTrafficSelectors, you need to ensure your VPN device
has the matching traffic selectors defined with all combinations of your on-premises network (local network gateway)
prefixes to/from the Azure virtual network prefixes, instead of any-to-any. For example, if your on-premises network
prefixes are 10.1.0.0/16 and 10.2.0.0/16, and your virtual network prefixes are 192.168.0.0/16 and 172.16.0.0/16, you
need to specify the following traffic selectors:
10.1.0.0/16 <====> 192.168.0.0/16
10.1.0.0/16 <====> 172.16.0.0/16
10.2.0.0/16 <====> 192.168.0.0/16
10.2.0.0/16 <====> 172.16.0.0/16
See Connect multiple on-premises policy-based VPN devices for more details regarding policy-based traffic
selectors.
Please see Create a S2S VPN connection for more detailed step-by-step instructions for creating a S2S VPN
connection.
Before you begin
Verify that you have an Azure subscription. If you don't already have an Azure subscription, you can activate
your MSDN subscriber benefits or sign up for a free account.
You'll need to install the Azure Resource Manager PowerShell cmdlets. See Overview of Azure PowerShell for
more information about installing the PowerShell cmdlets.
Step 1 - Create the virtual network, VPN gateway, and local network gateway
1. Declare your variables
For this exercise, we'll start by declaring our variables. Be sure to replace the values with your own when
configuring for production.
$Sub1 = "<YourSubscriptionName>"
$RG1 = "TestPolicyRG1"
$Location1 = "East US 2"
$VNetName1 = "TestVNet1"
$FESubName1 = "FrontEnd"
$BESubName1 = "Backend"
$GWSubName1 = "GatewaySubnet"
$VNetPrefix11 = "10.11.0.0/16"
$VNetPrefix12 = "10.12.0.0/16"
$FESubPrefix1 = "10.11.0.0/24"
$BESubPrefix1 = "10.12.0.0/24"
$GWSubPrefix1 = "10.12.255.0/27"
$DNS1 = "8.8.8.8"
$GWName1 = "VNet1GW"
$GW1IPName1 = "VNet1GWIP1"
$GW1IPconf1 = "gw1ipconf1"
$Connection16 = "VNet1toSite6"
$LNGName6 = "Site6"
$LNGPrefix61 = "10.61.0.0/16"
$LNGPrefix62 = "10.62.0.0/16"
$LNGIP6 = "131.107.72.22"
Login-AzureRmAccount
Select-AzureRmSubscription -SubscriptionName $Sub1
New-AzureRmResourceGroup -Name $RG1 -Location $Location1
3. Create the virtual network, VPN gateway, and local network gateway
The sample below creates the virtual network, TestVNet1, with three subnets, and the VPN gateway. When
substituting values, it's important that you always name your gateway subnet specifically GatewaySubnet. If you
name it something else, your gateway creation will fail.
You can optionally add "-UsePolicyBasedTrafficSelectors $True" to the create connection cmdlet to enable Azure
VPN gateway to connect to policy-based VPN devices on premises, as described above.
IMPORTANT
Once an IPsec/IKE policy is specified on a connection, the Azure VPN gateway will only send or accept the IPsec/IKE
proposal with specified cryptographic algorithms and key strengths on that particular connection. You must ensure your
on-premises VPN device for the connection uses or accepts the exact policy combination, otherwise the S2S VPN tunnel
will not establish.
Please see Create a VNet-to-VNet connection for more detailed steps for creating a VNet-to-VNet connection.
You must complete Part 3 to create and configure TestVNet1 and the VPN Gateway.
Step 1 - Create the second virtual network and VPN gateway
1. Declare your variables
Be sure to replace the values with the ones that you want to use for your configuration.
$RG2 = "TestPolicyRG2"
$Location2 = "East US 2"
$VNetName2 = "TestVNet2"
$FESubName2 = "FrontEnd"
$BESubName2 = "Backend"
$GWSubName2 = "GatewaySubnet"
$VNetPrefix21 = "10.21.0.0/16"
$VNetPrefix22 = "10.22.0.0/16"
$FESubPrefix2 = "10.21.0.0/24"
$BESubPrefix2 = "10.22.0.0/24"
$GWSubPrefix2 = "10.22.255.0/27"
$DNS2 = "8.8.8.8"
$GWName2 = "VNet2GW"
$GW2IPName1 = "VNet2GWIP1"
$GW2IPconf1 = "gw2ipconf1"
$Connection21 = "VNet2toVNet1"
$Connection12 = "VNet1toVNet2"
2. Create the second virtual network and VPN gateway in the new resource group
IMPORTANT
Once an IPsec/IKE policy is specified on a connection, the Azure VPN gateway will only send or accept the IPsec/IKE
proposal with specified cryptographic algorithms and key strengths on that particular connection. You must ensure the
IPsec policies for both connections are the same, otherwise the VNet-to-VNet connection will not establish.
After completing these steps, the connection will be establish in a few minutes, and you will have the following
network topology as shown in the beginning:
IMPORTANT
IPsec/IKE policy is supported on Standard and HighPerformance route-based VPN gateways only. It does not work on the
Basic gateway SKU or the policy-based VPN gateway.
$RG1 = "TestPolicyRG1"
$Connection16 = "VNet1toSite6"
$connection6 = Get-AzureRmVirtualNetworkGatewayConnection -Name $Connection16 -ResourceGroupName $RG1
$connection6.IpsecPolicies
The last command will list the current IPsec/IKE policy configured on the connection if there is any. The sample
output shown below for the connection:
SALifeTimeSeconds : 3600
SADataSizeKilobytes : 2048
IpsecEncryption : AES256
IpsecIntegrity : SHA256
IkeEncryption : AES256
IkeIntegrity : SHA384
DhGroup : DHGroup24
PfsGroup : PFS24
If there is no IPsec/IKE policy configured, the command (PS> $connection6.policy) will get an empty return. It
does not mean IPsec/IKE is not configured on the connection, but that there is no custom IPsec/IKE policy. The
actual connection will be using the default polilcy negotiated between your on-premises VPN device and the
Azure VPN gateway .
2. Add or update an IPsec/IKE policy for a connection
The steps to add a new policy or updateg an existing policy on a connection are the same: create a new policy
then apply the new policy to the connection.
$RG1 = "TestPolicyRG1"
$Connection16 = "VNet1toSite6"
$connection6 = Get-AzureRmVirtualNetworkGatewayConnection -Name $Connection16 -ResourceGroupName $RG1
You can get the connection again to check if the policy is updated.
You should see the output from the last line as shown below:
SALifeTimeSeconds : 3600
SADataSizeKilobytes : 2048
IpsecEncryption : GCMAES128
IpsecIntegrity : GCMAES128
IkeEncryption : AES128
IkeIntegrity : SHA1
DhGroup : DHGroup14--
PfsGroup : None
$RG1 = "TestPolicyRG1"
$Connection16 = "VNet1toSite6"
$connection6 = Get-AzureRmVirtualNetworkGatewayConnection -Name $Connection16 -ResourceGroupName $RG1
$currentpolicy = $connection6.IpsecPolicies[0]
$connection6.IpsecPolicies.Remove($currentpolicy)
Again, you can use the same script above to check if the policy has been removed from the connection.
Next steps
See Connect multiple on-premises policy-based VPN devices for more details regarding policy-based traffic
selectors.
Once your connection is complete, you can add virtual machines to your virtual networks. See Create a Virtual
Machine for steps.
Configure active-active S2S VPN connections with
Azure VPN Gateways
4/27/2017 13 min to read Edit Online
This article walks you through the steps to create active-active cross-premises and VNet-to-VNet connections using
the Resource Manager deployment model and PowerShell.
IMPORTANT
Please note that the active-active mode only works in HighPerformance SKU
$Sub1 = "Ross"
$RG1 = "TestAARG1"
$Location1 = "West US"
$VNetName1 = "TestVNet1"
$FESubName1 = "FrontEnd"
$BESubName1 = "Backend"
$GWSubName1 = "GatewaySubnet"
$VNetPrefix11 = "10.11.0.0/16"
$VNetPrefix12 = "10.12.0.0/16"
$FESubPrefix1 = "10.11.0.0/24"
$BESubPrefix1 = "10.12.0.0/24"
$GWSubPrefix1 = "10.12.255.0/27"
$VNet1ASN = 65010
$DNS1 = "8.8.8.8"
$GWName1 = "VNet1GW"
$GW1IPName1 = "VNet1GWIP1"
$GW1IPName2 = "VNet1GWIP2"
$GW1IPconf1 = "gw1ipconf1"
$GW1IPconf2 = "gw1ipconf2"
$Connection12 = "VNet1toVNet2"
$Connection151 = "VNet1toSite5_1"
$Connection152 = "VNet1toSite5_2"
Login-AzureRmAccount
Select-AzureRmSubscription -SubscriptionName $Sub1
New-AzureRmResourceGroup -Name $RG1 -Location $Location1
3. Create TestVNet1
The sample below creates a virtual network named TestVNet1 and three subnets, one called GatewaySubnet, one
called FrontEnd, and one called Backend. When substituting values, it's important that you always name your
gateway subnet specifically GatewaySubnet. If you name it something else, your gateway creation will fail.
Step 2 - Create the VPN gateway for TestVNet1 with active -active mode
1. Create the public IP addresses and gateway IP configurations
Request two public IP addresses to be allocated to the gateway you will create for your VNet. You'll also define the
subnet and IP configurations required.
$gw1pip1 = New-AzureRmPublicIpAddress -Name $GW1IPName1 -ResourceGroupName $RG1 -Location $Location1 -
AllocationMethod Dynamic
$gw1pip2 = New-AzureRmPublicIpAddress -Name $GW1IPName2 -ResourceGroupName $RG1 -Location $Location1 -
AllocationMethod Dynamic
3. Obtain the gateway public IP addresses and the BGP Peer IP address
Once the gateway is created, you will need to obtain the BGP Peer IP address on the Azure VPN Gateway. This
address is needed to configure the Azure VPN Gateway as a BGP Peer for your on-premises VPN devices.
Use the following cmdlets to show the two public IP addresses allocated for your VPN gateway, and their
corresponding BGP Peer IP addresses for each gateway instance:
PS D:\> $gw1pip1.IpAddress
40.112.190.5
PS D:\> $gw1pip2.IpAddress
138.91.156.129
PS D:\> $vnet1gw.BgpSettingsText
{
"Asn": 65010,
"BgpPeeringAddress": "10.12.255.4,10.12.255.5",
"PeerWeight": 0
}
The order of the public IP addresses for the gateway instances and the corresponding BGP Peering Addresses are
the same. In this example, the gateway VM with public IP of 40.112.190.5 will use 10.12.255.4 as its BGP Peering
Address, and the gateway with 138.91.156.129 will use 10.12.255.5. This information is needed when you set up
your on premises VPN devices connecting to the active-active gateway. The gateway is shown in the diagram
below with all addresses:
Once the gateway is created, you can use this gateway to establish active-active cross-premises or VNet-to-VNet
connection. The following sections will walk through the steps to complete the exercise.
$RG5 = "TestAARG5"
$Location5 = "West US"
$LNGName51 = "Site5_1"
$LNGPrefix51 = "10.52.255.253/32"
$LNGIP51 = "131.107.72.22"
$LNGASN5 = 65050
$BGPPeerIP51 = "10.52.255.253"
The connection should be established after a few minutes, and the BGP peering session will start once the IPsec
connection is established. This example so far has configured only one on-premises VPN device, resulting in the
diagram shown below:
Step 3 - Connect two on-premises VPN devices to the active -active VPN gateway
If you have two VPN devices at the same on-premises network, you can achieve dual redundancy by connecting
the Azure VPN gateway to the second VPN device.
1. Create the second local network gateway for Site5
Note that the gateway IP address, address prefix, and BGP peering address for the second local network gateway
must not overlap with the previous local network gateway for the same on-premises network.
$LNGName52 = "Site5_2"
$LNGPrefix52 = "10.52.255.254/32"
$LNGIP52 = "131.107.72.23"
$BGPPeerIP52 = "10.52.255.254"
2. Connect the VNet gateway and the second local network gateway
Create the connection from TestVNet1 to Site5_2 with "EnableBGP" set to $True
3. VPN and BGP parameters for your second on-premises VPN device
Similarly, below lists the parameters you will enter into the second VPN device:
Once the connection (tunnels) are established, you will have dual redundant VPN devices and tunnels connecting
your on-premises network and Azure:
Create the VPN gateway with the AS number and the "EnableActiveActiveFeature" flag. Note that you must
override the default ASN on your Azure VPN gateways. The ASNs for the connected VNets must be different to
enable BGP and transit routing.
IMPORTANT
Be sure to enable BGP for BOTH connections.
After completing these steps, the connection will be establish in a few minutes, and the BGP peering session will be
up once the VNet-to-VNet connection is completed with dual redundancy:
IMPORTANT
Please note that the active-active mode only works in HighPerformance SKU
2. Create the public IP address, then add the second gateway IP configuration
$GWName = "TestVNetAA1GW"
$RG = "TestVPNActiveActive01"
Next steps
Once your connection is complete, you can add virtual machines to your virtual networks. See Create a Virtual
Machine for steps.
How to configure BGP on Azure VPN Gateways
using PowerShell
6/12/2017 10 min to read Edit Online
This article walks you through the steps to enable BGP on a cross-premises Site-to-Site (S2S) VPN connection and
a VNet-to-VNet connection using the Resource Manager deployment model and PowerShell.
About BGP
BGP is the standard routing protocol commonly used in the Internet to exchange routing and reachability
information between two or more networks. BGP enables the Azure VPN Gateways and your on-premises VPN
devices, called BGP peers or neighbors, to exchange "routes" that will inform both gateways on the availability and
reachability for those prefixes to go through the gateways or routers involved. BGP can also enable transit routing
among multiple networks by propagating routes a BGP gateway learns from one BGP peer to all other BGP peers.
Please see Overview of BGP with Azure VPN Gateways for more discussion on benefits of BGP and to understand
the technical requirements and considerations of using BGP.
You can combine these together to build a more complex, multi-hop, transit network that meet your needs.
$Sub1 = "Replace_With_Your_Subcription_Name"
$RG1 = "TestBGPRG1"
$Location1 = "East US"
$VNetName1 = "TestVNet1"
$FESubName1 = "FrontEnd"
$BESubName1 = "Backend"
$GWSubName1 = "GatewaySubnet"
$VNetPrefix11 = "10.11.0.0/16"
$VNetPrefix12 = "10.12.0.0/16"
$FESubPrefix1 = "10.11.0.0/24"
$BESubPrefix1 = "10.12.0.0/24"
$GWSubPrefix1 = "10.12.255.0/27"
$VNet1ASN = 65010
$DNS1 = "8.8.8.8"
$GWName1 = "VNet1GW"
$GWIPName1 = "VNet1GWIP"
$GWIPconfName1 = "gwipconf1"
$Connection12 = "VNet1toVNet2"
$Connection15 = "VNet1toSite5"
Login-AzureRmAccount
Select-AzureRmSubscription -SubscriptionName $Sub1
New-AzureRmResourceGroup -Name $RG1 -Location $Location1
3. Create TestVNet1
The sample below creates a virtual network named TestVNet1 and three subnets, one called GatewaySubnet, one
called FrontEnd, and one called Backend. When substituting values, it's important that you always name your
gateway subnet specifically GatewaySubnet. If you name it something else, your gateway creation will fail.
$fesub1 = New-AzureRmVirtualNetworkSubnetConfig -Name $FESubName1 -AddressPrefix $FESubPrefix1 $besub1 = New-
AzureRmVirtualNetworkSubnetConfig -Name $BESubName1 -AddressPrefix $BESubPrefix1
$gwsub1 = New-AzureRmVirtualNetworkSubnetConfig -Name $GWSubName1 -AddressPrefix $GWSubPrefix1
Step 2 - Create the VPN Gateway for TestVNet1 with BGP parameters
1. Create the IP and subnet configurations
Request a public IP address to be allocated to the gateway you will create for your VNet. You'll also define the
subnet and IP configurations required.
The last command will show the corresponding BGP configurations on the Azure VPN Gateway; for example:
$vnet1gw.BgpSettingsText
{
"Asn": 65010,
"BgpPeeringAddress": "10.12.255.30",
"PeerWeight": 0
}
Once the gateway is created, you can use this gateway to establish cross-premises connection or VNet-to-VNet
connection with BGP. The following sections will walk through the steps to complete the exercise.
$RG5 = "TestBGPRG5"
$Location5 = "East US 2"
$LNGName5 = "Site5"
$LNGPrefix50 = "10.52.255.254/32"
$LNGIP5 = "Your_VPN_Device_IP"
$LNGASN5 = 65050
$BGPPeerIP5 = "10.52.255.254"
The example below lists the parameters you will enter into the BGP configuration section on your on-premises
VPN device for this exercise:
The connection should be established after a few minutes, and the BGP peering session will start once the IPsec
connection is established.
The instructions below continue from the previous steps listed above. You must complete Part I to create and
configure TestVNet1 and the VPN Gateway with BGP.
Step 1 - Create TestVNet2 and the VPN gateway
It is important to make sure that the IP address space of the new virtual network, TestVNet2, does not overlap with
any of your VNet ranges.
In this example, the virtual networks belong to the same subscription. You can setup VNet-to-VNet connections
between different subscriptions; please refer to Configure a VNet-to-VNet connection to learn more details. Make
sure you add the "-EnableBgp $True" when creating the connections to enable BGP.
1. Declare your variables
Be sure to replace the values with the ones that you want to use for your configuration.
$RG2 = "TestBGPRG2"
$Location2 = "West US"
$VNetName2 = "TestVNet2"
$FESubName2 = "FrontEnd"
$BESubName2 = "Backend"
$GWSubName2 = "GatewaySubnet"
$VNetPrefix21 = "10.21.0.0/16"
$VNetPrefix22 = "10.22.0.0/16"
$FESubPrefix2 = "10.21.0.0/24"
$BESubPrefix2 = "10.22.0.0/24"
$GWSubPrefix2 = "10.22.255.0/27"
$VNet2ASN = 65020
$DNS2 = "8.8.8.8"
$GWName2 = "VNet2GW"
$GWIPName2 = "VNet2GWIP"
$GWIPconfName2 = "gwipconf2"
$Connection21 = "VNet2toVNet1"
$Connection12 = "VNet1toVNet2"
Create the VPN gateway with the AS number. Note that you must override the default ASN on your Azure VPN
gateways. The ASNs for the connected VNets must be different to enable BGP and transit routing.
IMPORTANT
Be sure to enable BGP for BOTH connections.
After completing these steps, the connection will be establish in a few minutes, and the BGP peering session will
be up once the VNet-to-VNet connection is completed.
If you have completed all three parts of this exercise, you will have established a network topology as shown
below:
Next steps
Once your connection is complete, you can add virtual machines to your virtual networks. See Create a Virtual
Machine for steps.
Configure forced tunneling using the Azure Resource
Manager deployment model
4/27/2017 5 min to read Edit Online
Forced tunneling lets you redirect or "force" all Internet-bound traffic back to your on-premises location via a Site-
to-Site VPN tunnel for inspection and auditing. This is a critical security requirement for most enterprise IT policies.
Without forced tunneling, Internet-bound traffic from your VMs in Azure will always traverse from Azure network
infrastructure directly out to the Internet, without the option to allow you to inspect or audit the traffic.
Unauthorized Internet access can potentially lead to information disclosure or other types of security breaches
Azure currently works with two deployment models: Resource Manager and classic. The two models are not
completely compatible with each other. Before you begin, you need to know which model that you want to work
in. For information about the deployment models, see Understanding deployment models. If you are new to Azure,
we recommend that you use the Resource Manager deployment model.
This article walks you through configuring forced tunneling for virtual networks created using the Resource
Manager deployment model. Forced tunneling can be configured by using PowerShell, not through the portal. If
you want to configure forced tunneling for the classic deployment model, select classic article from the following
dropdown list:
In the example above, the Frontend subnet is not forced tunneled. The workloads in the Frontend subnet can
continue to accept and respond to customer requests from the Internet directly. The Mid-tier and Backend subnets
are forced tunneled. Any outbound connections from these two subnets to the Internet will be forced or redirected
back to an on-premises site via one of the S2S VPN tunnels.
This allows you to restrict and inspect Internet access from your virtual machines or cloud services in Azure, while
continuing to enable your multi-tier service architecture required. You also can apply forced tunneling to the entire
virtual networks if there are no Internet-facing workloads in your virtual networks.
Configuration overview
The following procedure helps you create a resource group and a VNet. You'll then create a VPN gateway and
configure forced tunneling. In this procedure, the virtual network "MultiTier-VNet" has 3 subnets: Frontend,
Midtier, and Backend, with 4 cross-premises connections: DefaultSiteHQ, and 3 Branches.
The procedure steps set the DefaultSiteHQ as the default site connection for forced tunneling, and configure the
Midtier and Backend subnets to use forced tunneling.
Login-AzureRmAccount
9. Create the Gateway with a default site. This step takes some time to complete, sometimes 45 minutes or
more, because you are creating and configuring the gateway.
The -GatewayDefaultSite is the cmdlet parameter that allows the forced routing configuration to work, so
take care to configure this setting properly. This parameter is available in PowerShell 1.0 or later.
$pip = New-AzureRmPublicIpAddress -Name "GatewayIP" -ResourceGroupName "ForcedTunneling" -Location
"North Europe" -AllocationMethod Dynamic
$gwsubnet = Get-AzureRmVirtualNetworkSubnetConfig -Name "GatewaySubnet" -VirtualNetwork $vnet
$ipconfig = New-AzureRmVirtualNetworkGatewayIpConfig -Name "gwIpConfig" -SubnetId $gwsubnet.Id -
PublicIpAddressId $pip.Id
New-AzureRmVirtualNetworkGateway -Name "Gateway1" -ResourceGroupName "ForcedTunneling" -Location "North
Europe" -IpConfigurations $ipconfig -GatewayType Vpn -VpnType RouteBased -GatewayDefaultSite $lng1 -
EnableBgp $false
Forced tunneling lets you redirect or "force" all Internet-bound traffic back to your on-premises location via a Site-
to-Site VPN tunnel for inspection and auditing. This is a critical security requirement for most enterprise IT policies.
Without forced tunneling, Internet-bound traffic from your VMs in Azure will always traverse from Azure network
infrastructure directly out to the Internet, without the option to allow you to inspect or audit the traffic.
Unauthorized Internet access can potentially lead to information disclosure or other types of security breaches
Azure currently works with two deployment models: Resource Manager and classic. The two models are not
completely compatible with each other. Before you begin, you need to know which model that you want to work
in. For information about the deployment models, see Understanding deployment models. If you are new to Azure,
we recommend that you use the Resource Manager deployment model.
This article walks you through configuring forced tunneling for virtual networks created using the classic
deployment model. Forced tunneling can be configured by using PowerShell, not through the portal. If you want to
configure forced tunneling for the Resource Manager deployment model, select classic article from the following
dropdown list:
Configuration overview
In the following example, the Frontend subnet is not forced tunneled. The workloads in the Frontend subnet can
continue to accept and respond to customer requests from the Internet directly. The Mid-tier and Backend subnets
are forced tunneled. Any outbound connections from these two subnets to the Internet will be forced or redirected
back to an on-premises site via one of the S2S VPN tunnels.
This allows you to restrict and inspect Internet access from your virtual machines or cloud services in Azure, while
continuing to enable your multi-tier service architecture required. You also can apply forced tunneling to the entire
virtual networks if there are no Internet-facing workloads in your virtual networks.
In this example, the virtual network "MultiTier-VNet" has three subnets: Frontend, Midtier, and Backend subnets,
with four cross premises connections: DefaultSiteHQ, and three Branches.
The steps will set the DefaultSiteHQ as the default site connection for forced tunneling, and configure the Midtier
and Backend subnets to use forced tunneling.
1. Create a routing table. Use the following cmdlet to create your route table.
New-AzureRouteTable Name "MyRouteTable" Label "Routing Table for Forced Tunneling" Location "North
Europe"
$DefaultSite = @("DefaultSiteHQ")
Set-AzureVNetGatewayDefaultSite VNetName "MultiTier-VNet" DefaultSite "DefaultSiteHQ"
Sometimes the settings for your local network gateway AddressPrefix or GatewayIPAddress change. This article
shows you how to modify your local network gateway settings. You can also modify these settings in the Azure
portal or using the Azure CLI.
3. Create the connection. In this example, we configure an IPsec connection type. When you recreate your
connection, use the connection type that is specified for your configuration. For additional connection types,
see the PowerShell cmdlet page.
Set the variable for the VirtualNetworkGateway.
Create the connection. This example uses the variable $local that you set in step 2.
2. Modify the 'GatewayIpAddress' value. You can also modify the address prefixes at the same time. Be sure to
use the existing name of your local network gateway to overwrite the current settings. If you don't, you
create a new local network gateway, instead of overwriting the existing one.
New-AzureRmLocalNetworkGateway -Name MyLocalNetworkGWName `
-Location "West US" -AddressPrefix @('10.0.0.0/24','20.0.0.0/24','30.0.0.0/24') `
-GatewayIpAddress "104.40.81.124" -ResourceGroupName MyRGName
3. Create the connection. In this example, we configure an IPsec connection type. When you recreate your
connection, use the connection type that is specified for your configuration. For additional connection types,
see the PowerShell cmdlet page. To obtain the VirtualNetworkGateway name, you can run the 'Get-
AzureRmVirtualNetworkGateway' cmdlet.
Set the variables.
Next steps
You can verify your gateway connection. See Verify a gateway connection.
Modify local network gateway settings using the
Azure CLI
4/27/2017 2 min to read Edit Online
Sometimes the settings for your local network gateway AddressPrefix or GatewayIPAddress change. This article
shows you how to modify your local network gateway settings. You can also modify these settings in the Azure
portal or PowerShell.
az login
If you have more than one Azure subscription, list the subscriptions for the account.
"gatewayIpAddress": "23.99.222.170",
Next steps
You can verify your gateway connection. See Verify a gateway connection.
Verify a VPN Gateway connection
5/18/2017 3 min to read Edit Online
This article shows you how to verify a VPN gateway connection for both the classic and Resource Manager
deployment models.
Azure portal
In the Azure portal, you can view the connection status of a Resource Manager VPN Gateway by navigating to the
connection. The following steps show one way to navigate to your connection and verify.
1. In the Azure portal, click All resources and navigate to your virtual network gateway.
2. On the blade for your virtual network gateway, click Connections. You can see the status of each connection.
3. Click the name of the connection that you want to verify to open Essentials. In Essentials, you can view
more information about your connection. The Status is 'Succeeded' and 'Connected' when you have made
a successful connection.
PowerShell
To verify a VPN gateway connection for the Resource Manager deployment model using PowerShell, install the
latest version of the Azure Resource Manager PowerShell cmdlets.
You can verify that your connection succeeded by using the 'Get-AzureRmVirtualNetworkGatewayConnection'
cmdlet, with or without '-Debug'.
1. Use the following cmdlet example, configuring the values to match your own. If prompted, select 'A' in
order to run 'All'. In the example, '-Name' refers to the name of the connection that you want to test.
2. After the cmdlet has finished, view the values. In the example below, the connection status shows as
'Connected' and you can see ingress and egress bytes.
"connectionStatus": "Connected",
"ingressBytesTransferred": 33509044,
"egressBytesTransferred": 4142431
Azure CLI
To verify a VPN gateway connection for the Resource Manager deployment model using Azure CLI, install the
latest version of the CLI commands (2.0 or later).
You can verify that your connection succeeded by using the az network vpn-connection show command. In the
example,'--name'refers to the name of the connection that you want to test. When the connection is in the process
of being established, its connection status shows 'Connecting'. Once the connection is established, the status
changes to 'Connected'.
4. On the Site-to-site VPN connections blade, view the information about your site.
5. To view more information about the connection, click the name of the connection to open the Site-to-site
VPN Connection blade.
PowerShell (classic)
To verify your VPN gateway connection for the classic deployment model using PowerShell, install the latest
versions of the Azure PowerShell cmdlets. Be sure to download and install the Service Management module. Use
'Add-AzureAccount' to log in to the classic deployment model.
You can verify that your connection succeeded by using the 'Get-AzureVNetConnection' cmdlet.
1. Use the following cmdlet example, configuring the values to match your own. The name of the virtual
network must be in quotes if it contains spaces.
2. After the cmdlet has finished, view the values. In the example below, the Connectivity State shows as
'Connected' and you can see ingress and egress bytes.
ConnectivityState : Connected
EgressBytesTransferred : 181664
IngressBytesTransferred : 182080
LastConnectionEstablished : 1/7/2016 12:40:54 AM
LastEventID : 24401
LastEventMessage : The connectivity state for the local network site 'RMVNetLocal' changed
from Connecting to
Connected.
LastEventTimeStamp : 1/7/2016 12:40:54 AM
LocalNetworkSiteName : RMVNetLocal
Next steps
You can add virtual machines to your virtual networks. See Create a Virtual Machine for steps.
Reset a VPN Gateway
5/25/2017 3 min to read Edit Online
Resetting an Azure VPN gateway is helpful if you lose cross-premises VPN connectivity on one or more Site-to-Site
VPN tunnels. In this situation, your on-premises VPN devices are all working correctly, but are not able to establish
IPsec tunnels with the Azure VPN gateways. This article helps you reset your VPN gateway.
What happens during a reset?
A VPN gateway is composed of two VM instances running in an active-standby configuration. When you reset the
gateway, it reboots the gateway, and then reapplies the cross-premises configurations to it. The gateway keeps the
public IP address it already has. This means you wont need to update the VPN router configuration with a new
public IP address for Azure VPN gateway.
When you issue the command to reset the gateway, the current active instance of the Azure VPN gateway is
rebooted immediately. There will be a brief gap during the failover from the active instance (being rebooted), to the
standby instance. The gap should be less than one minute.
If the connection is not restored after the first reboot, issue the same command again to reboot the second VM
instance (the new active gateway). If the two reboots are requested back to back, there will be a slightly longer
period where both VM instances (active and standby) are being rebooted. This will cause a longer gap on the VPN
connectivity, up to 2 to 4 minutes for VMs to complete the reboots.
After two reboots, if you are still experiencing cross-premises connectivity problems, please open a support request
from the Azure portal.
Azure portal
You can reset a Resource Manager VPN gateway using the Azure portal. If you want to reset a classic gateway, see
the PowerShell steps.
Resource Manager deployment model
1. Open the Azure portal and navigate to the Resource Manager virtual network gateway that you want to reset.
2. On the blade for the virtual network gateway, click 'Reset'.
3. On the Reset blade, click the Reset button.
PowerShell
Resource Manager deployment model
The cmdlet for resetting a gateway is Reset-AzureRmVirtualNetworkGateway. Before performing a reset, make
sure you have the latest version of the Resource Manager PowerShell cmdlets. The following example resets a
virtual network gateway named VNet1GW in the TestRG1 resource group:
Result:
When you receive a return result, you can assume the gateway reset was successful. However, there is nothing in
the return result that indicates explicitly that the reset was successful. If you want to look closely at the history to
see exactly when the gateway reset occurred, you can view that information in the Azure portal. In the portal,
navigate to 'GatewayName' -> Resource Health.
Classic deployment model
The cmdlet for resetting a gateway is Reset-AzureVNetGateway. Before performing a reset, make sure you have
the latest version of the Service Management (SM) PowerShell cmdlets. The following example resets the gateway
for a virtual network named "ContosoVNet":
Result:
Error :
HttpStatusCode : OK
Id : f1600632-c819-4b2f-ac0e-f4126bec1ff8
Status : Successful
RequestId : 9ca273de2c4d01e986480ce1ffa4d6d9
StatusCode : OK
Azure CLI
To reset the gateway, use the az network vnet-gateway reset command. The following example resets a virtual
network gateway named VNet5GW in the TestRG5 resource group:
Result:
When you receive a return result, you can assume the gateway reset was successful. However, there is nothing in
the return result that indicates explicitly that the reset was successful. If you want to look closely at the history to
see exactly when the gateway reset occurred, you can view that information in the Azure portal. In the portal,
navigate to 'GatewayName' -> Resource Health.
Delete a virtual network gateway using the portal
3/30/2017 3 min to read Edit Online
There are a couple of different approaches you can take when you want to delete a virtual network gateway for a
VPN gateway configuration.
If you want to delete everything and start over, as in the case of a test environment, you can delete the
resource group. When you delete a resource group, it deletes all the resources within the group. This is
method is only recommended if you don't want to keep any of the resources in the resource group. You
can't selectively delete only a few resources using this approach.
If you want to keep some of the resources in your resource group, deleting a virtual network gateway
becomes slightly more complicated. Before you can delete the virtual network gateway, you must first
delete any resources that are dependent on the gateway. The steps you follow depend on the type of
connections that you created and the dependent resources for each connection.
2. On the Overview blade for the local network gateway, click Delete.
Step 4: Delete the virtual network gateway
1. In All resources, locate the virtual network gateway that you want to delete.
2. On the Overview blade, click Delete to delete the gateway.
NOTE
If you have a P2S configuration to this VNet in addition to your S2S configuration, deleting the virtual network gateway will
automatically disconnect all P2S clients without warning.
2. On the Overview page for the Public IP address, click Delete, then Yes to confirm.
Step 6: Delete the gateway subnet
1. In All resources, locate the virtual network.
2. On the Subnets blade, click the GatewaySubnet, then click Delete.
3. Click Yes to confirm that you want to delete the gateway subnet.
There are a couple of different approaches you can take when you want to delete a virtual network gateway for a
VPN gateway configuration.
If you want to delete everything and start over, as in the case of a test environment, you can delete the
resource group. When you delete a resource group, it deletes all the resources within the group. This is
method is only recommended if you don't want to keep any of the resources in the resource group. You
can't selectively delete only a few resources using this approach.
If you want to keep some of the resources in your resource group, deleting a virtual network gateway
becomes slightly more complicated. Before you can delete the virtual network gateway, you must first
delete any resources that are dependent on the gateway. The steps you follow depend on the type of
connections that you created and the dependent resources for each connection.
Before beginning
1. Download the latest Azure Resource Manager PowerShell cmdlets.
Download and install the latest version of the Azure Resource Manager PowerShell cmdlets. For more information
about downloading and installing PowerShell cmdlets, see How to install and configure Azure PowerShell.
2. Connect to your Azure account.
Open your PowerShell console and connect to your account. Use the following example to help you connect:
Login-AzureRmAccount
Get-AzureRmSubscription
If you have more than one subscription, specify the subscription that you want to use.
NOTE
If you have a P2S configuration to this VNet in addition to your S2S configuration, deleting the virtual network gateway will
automatically disconnect all P2S clients without warning.
$GWIpConfigs = $Gateway.IpConfigurations
8. Get the list of Public IP addresses used for this virtual network gateway
If the virtual network gateway was active-active, you will see two Public IP addresses.
There may be other connections to the virtual network gateway that are part of a different resource group. Check
for additional connections in each additional resource group. In this example, we are checking for connections
from RG2. Run this for each resource group that you have which may have a connection to the virtual network
gateway.
In this example, we are checking for connections from RG2. Run this for each resource group that you have which
may have a connection to the virtual network gateway.
NOTE
If you have P2S configurations to your VNets in addition to your V2V configuration, deleting the virtual network gateways
will automatically disconnect all P2S clients without warning.
$GWIpConfigs = $Gateway.IpConfigurations
7. Get the list of Public IP addresses used for this virtual network gateway.
If the virtual network gateway was active-active, you will see two Public IP addresses.
$GWIpConfigs = $Gateway.IpConfigurations
4. Get the list of Public IP addresses used for this virtual network gateway.
If the virtual network gateway was active-active, you will see two Public IP addresses.
Get-AzureRmResourceGroup
ResourceGroupName : RG1
Location : eastus
ProvisioningState : Succeeded
Delete a virtual network gateway using PowerShell
(classic)
5/11/2017 3 min to read Edit Online
This article helps you delete a VPN gateway in the classic deployment model by using PowerShell. After the virtual
network gateway has been deleted, modify the network configuration file to remove elements that you are no
longer using.
Add-AzureAccount
Open the file with a text editor and view the name for your classic VNet. When you create a VNet in the Azure
portal, the full name that Azure uses is not visible in the portal. For example, a VNet that appears to be named
'ClassicVNet1' in the Azure portal, may have a much longer name in the network configuration file. The name
might look something like: 'Group ClassicRG1 ClassicVNet1'. Virtual network names are listed as
'VirtualNetworkSite name ='. Use the names in the network configuration file when running your PowerShell
cmdlets.
<Gateway>
<ConnectionsToLocalNetwork>
<LocalNetworkSiteRef name="D1BFC9CB_Site2">
<Connection type="IPsec" />
</LocalNetworkSiteRef>
</ConnectionsToLocalNetwork>
</Gateway>
Example:
<Gateway>
<ConnectionsToLocalNetwork>
</ConnectionsToLocalNetwork>
</Gateway>
<LocalNetworkSites>
<LocalNetworkSite name="Site1">
<AddressSpace>
<AddressPrefix>192.168.0.0/16</AddressPrefix>
</AddressSpace>
<VPNGatewayAddress>5.4.3.2</VPNGatewayAddress>
</LocalNetworkSite>
<LocalNetworkSite name="Site3">
<AddressSpace>
<AddressPrefix>192.168.0.0/16</AddressPrefix>
</AddressSpace>
<VPNGatewayAddress>57.179.18.164</VPNGatewayAddress>
</LocalNetworkSite>
</LocalNetworkSites>
Client AddressPool
If you had a P2S connection to your VNet, you will have a VPNClientAddressPool. Remove the client address
pools that correspond to the virtual network gateway that you deleted.
<Gateway>
<VPNClientAddressPool>
<AddressPrefix>10.1.0.0/24</AddressPrefix>
</VPNClientAddressPool>
<ConnectionsToLocalNetwork />
</Gateway>
Example:
<Gateway>
<ConnectionsToLocalNetwork />
</Gateway>
GatewaySubnet
Delete the GatewaySubnet that corresponds to the VNet.
<Subnets>
<Subnet name="FrontEnd">
<AddressPrefix>10.11.0.0/24</AddressPrefix>
</Subnet>
<Subnet name="GatewaySubnet">
<AddressPrefix>10.11.1.0/29</AddressPrefix>
</Subnet>
</Subnets>
Example:
<Subnets>
<Subnet name="FrontEnd">
<AddressPrefix>10.11.0.0/24</AddressPrefix>
</Subnet>
</Subnets>
If you want to create a secure cross-premises connection between Azure and your on-premises location, you need
to create a virtual network gateway. A VPN gateway is a specific type of virtual network gateway. In the classic
deployment model, a VPN gateway can be one of two VPN routing types: static, or dynamic. The VPN type you
choose depends on both your network design plan, and the on-premises VPN device you want to use. For more
information about VPN devices, see About VPN Devices.
About Azure deployment models
Azure currently works with two deployment models: Resource Manager and classic. The two models are not
completely compatible with each other. Before you begin, you need to know which model that you want to work
in. For information about the deployment models, see Understanding deployment models. If you are new to Azure,
we recommend that you use the Resource Manager deployment model.
Configuration overview
The following steps walk you through configuring your VPN gateway in the classic portal. These steps apply to
gateways for virtual networks that were created using the classic deployment model. Currently, not all of the
configuration settings for gateways are available in the Azure portal. When they are, we will create a new set of
instructions that apply to the Azure portal.
Before you begin
Before you configure your gateway, you first need to create your virtual network. For steps to create a virtual
network for cross-premises connectivity, see Configure a virtual network with a site-to-site VPN connection, or
Configure a virtual network with a point-to-site VPN connection. Then, use the following steps to configure the
VPN gateway and gather the information you need to configure your VPN device.
If you already have a VPN gateway and you want to change the VPN routing type, see How to change the VPN
routing type for your gateway.
Next, at the bottom of the page, click Create Gateway. You can select either Static Routing or Dynamic Routing.
The VPN routing type you select depends on few factors. For example, what your VPN device supports and
whether you need to support point-to-site connections. Check About VPN Devices for Virtual Network
Connectivity to verify the VPN routing type that you need. Once the gateway has been created, you can't change
between gateway VPN routing types without deleting and re-creating the gateway. When the system prompts you
to confirm that you want the gateway created, click Yes.
When your gateway is creating, notice the gateway graphic on the page changes to yellow and says Creating
Gateway. It may take up to 45 minutes for the gateway to create. Wait until the gateway is complete before you
can move forward with other configuration settings.
When the gateway changes to Connecting, you can gather the information you'll need for your VPN device.
Site-to-Site connections
Step 1. Gather information for your VPN device configuration
If you are creating a Site-to-Site connection, after the gateway has been created, gather information for your VPN
device configuration. This information is located on the Dashboard page for your virtual network:
1. Gateway IP address - The IP address can be found on the Dashboard page. You won't be able to see it until
after your gateway has finished creating.
2. Shared key - Click Manage Key at the bottom of the screen. Click the icon next to the key to copy it to your
clipboard, and then paste and save the key. This button only works when there is a single S2S VPN tunnel. If
you have multiple S2S VPN tunnels, use the Get Virtual Network Gateway Shared Key API or PowerShell
cmdlet.
IMPORTANT
When you delete a virtual network VPN gateway, the VIP assigned to the gateway is released. When you recreate the
gateway, a new VIP is assigned to it.
Next steps
You can add virtual machines to your virtual network. See How to create a custom virtual machine.
If you want to configure a point-to-site VPN connection, see Configure a point-to-site VPN connection.
Working with virtual network gateway SKUs (old
SKUs)
6/7/2017 2 min to read Edit Online
This article contains information about the old virtual network gateway SKUs. For information on the current SKUs,
see About VPN Gateway.
Gateway SKUs
The old VPN gateway SKUs are:
Basic
Standard
HighPerformance
VPN Gateway does not use the UltraPerformance gateway SKU. For information about the UltraPerformance SKU,
see the ExpressRoute documentation.
When working with the old SKUs, consider the following:
If you want to use a PolicyBased VPN type, you must use the Basic SKU. PolicyBased VPNs (previously called
Static Routing) are not supported on any other SKU.
BGP is not supported on the Basic SKU.
ExpressRoute-VPN Gateway coexist configurations are not supported on the Basic SKU.
Active-active S2S VPN Gateway connections can be configured on the HighPerformance SKU only.
(1) The VPN throughput is a rough estimate based on the measurements between VNets in the same Azure region.
It is not a guaranteed throughput for cross-premises connections across the Internet. It is the maximum possible
throughput measurement.
(2) The number of tunnels refer to RouteBased VPNs. A PolicyBased VPN can only support one Site-to-Site VPN
tunnel.
(3) BGP is not supported for the Basic SKU.
(4) PolicyBased VPNs are not supported for this SKU. They are supported for the Basic SKU only.
(5) Active-active S2S VPN Gateway connections are not supported for this SKU. Active-active is supported on the
HighPerformance SKU only.
(6) Basic SKU is deprecated for use with ExpressRoute.
Authentication Pre-shared key Pre-shared key for Pre-shared key for Pre-shared key for
method S2S connectivity, S2S connectivity, S2S connectivity,
Certificates for P2S Certificates for P2S Certificates for P2S
connectivity connectivity connectivity
Maximum number 1 10 10 30
of S2S connections
A VPN gateway connection enables you to establish secure, cross-premises connectivity between your Virtual
Network within Azure and your on-premises IT infrastructure.
This article shows how to validate network throughput from the on-premises resources to an Azure virtual
machine. It also provides troubleshooting guidance.
NOTE
This article is intended to help diagnose and fix common issues. If you're unable to solve the issue by using the following
information, contact support.
Overview
The VPN gateway connection involves the following components:
On-premises VPN device (view a list of validated VPN devices).
Public Internet
Azure VPN gateway
Azure virtual machine
The following diagram shows the logical connectivity of an on-premises network to an Azure virtual network
through VPN.
NOTE
The third-party products that this article discusses are manufactured by companies that are independent of Microsoft.
Microsoft makes no warranty, implied or otherwise, about the performance or reliability of these products.
netsh advfirewall firewall add rule name="Open Port 5001" dir=in action=allow protocol=TCP
localport=5001
netsh advfirewall firewall delete rule name="Open Port 5001" protocol=TCP localport=5001
Azure Linux: Azure Linux images have permissive firewalls. If there is an application listening on a port, the
traffic is allowed through. Custom images that are secured may need ports opened explicitly. Common Linux
OS-layer firewalls include iptables , ufw , or firewalld .
3. On the server node, change to the directory where iperf3.exe is extracted. Then run iPerf in server mode and
set it to listen on port 5001 as the following commands:
cd c:\iperf-3.1.2-win65
iperf3.exe -s -p 5001
4. On the client node, change to the directory where iperf tool is extracted and then run the following
command:
iperf3.exe -c <IP of the iperf Server> -t 30 -p 5001 -P 32
The client is inducing traffic on port 5001 to the server for 30 seconds. The flag '-P ' that indicates we are
using 32 simultaneous connections to the server node.
The following screen shows the output from this example:
6. After completing the previous steps, execute the same steps with the roles reversed, so that the server node
will now be the client and vice-versa.
Insufficient VM disk read/write speed. For more information, see Azure Storage Troubleshooting.
Checking latency
Use tracert to trace to Microsoft Azure Edge device to determine if there are any delays exceeding 100 ms between
hops.
From the on-premises network, run tracert to the VIP of the Azure Gateway or VM. Once you see only * returned,
you know you have reached the Azure edge. When you see DNS names that include "MSN" returned, you know
you have reached the Microsoft backbone.
Next steps
For more information or help, check out the following links:
Optimize network throughput for Azure virtual machines
Microsoft Support